[lxc-users] More secure container
Fajar A. Nugraha
list at fajar.net
Wed May 10 03:24:05 UTC 2017
On Wed, May 10, 2017 at 4:22 AM, Andrey Repin <anrdaemon at yandex.ru> wrote:
> Greetings, T.C 吳天健!
>
> > Its said privileged container is unsecured . For example, if a user in
> the
> > container (suppose it's running a service toward the public) hack the
> system
> > with some kind of root kit.
>
> This is not specifically correct. The road to compromising the container is
> rather thorny.
> Even if container is privileged and the container owner has root access
> inside
> the container, gaining any host advantage would be hard if not impossible,
> unless the host configuration is far from sane.
>
> > I am thinking of building a more secure container. The first idea is to
> > use unprivileged container; Second is apply cgroup to limit viewing of
> some
> > sensitive /dev files, and any recommendation?
>
> LXD by default is "secure" in sense that even if container is compromised,
> the
> effective UID the container user is running from has no rights on the host.
>
>
... and there's also the option in lxd to use separate u/gid range for each
container (by default all unpriv lxd containers share the same u/gid range).
> > Summary
> > -use unprivileged container
>
> Right.
>
> > -cgroup to limit viewing of some /dev files
>
> Unnecessary in real-world application.
>
>
lxc and lxd already limits which device nodes (block and char) allowed in
the container.
@T.C, what are your requirements/ideas that isn't already available in lxd?
--
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170510/263aa7be/attachment.html>
More information about the lxc-users
mailing list