[lxc-users] More secure container
tcwu2005 at gmail.com
Wed May 10 06:33:55 UTC 2017
Fajar and Andrey,
I run lxc-1.0 on embedded system and I don't have lxd on that platform.
(i.e. I cross-compile lxc-1.0 from scratch no prebuild package available).
And yes I run container with root privilege .
Can I have your mentioned features "use separate u/gid range for each
container" and "limits which device nodes (block and char) allowed in the
container" without existence of lxd?
2017-05-10 11:24 GMT+08:00 Fajar A. Nugraha <list at fajar.net>:
> On Wed, May 10, 2017 at 4:22 AM, Andrey Repin <anrdaemon at yandex.ru> wrote:
>> Greetings, T.C 吳天健!
>> > Its said privileged container is unsecured . For example, if a user in
>> > container (suppose it's running a service toward the public) hack the
>> > with some kind of root kit.
>> This is not specifically correct. The road to compromising the container
>> rather thorny.
>> Even if container is privileged and the container owner has root access
>> the container, gaining any host advantage would be hard if not impossible,
>> unless the host configuration is far from sane.
>> > I am thinking of building a more secure container. The first idea is to
>> > use unprivileged container; Second is apply cgroup to limit viewing of
>> > sensitive /dev files, and any recommendation?
>> LXD by default is "secure" in sense that even if container is
>> compromised, the
>> effective UID the container user is running from has no rights on the
> ... and there's also the option in lxd to use separate u/gid range for
> each container (by default all unpriv lxd containers share the same u/gid
>> > Summary
>> > -use unprivileged container
>> > -cgroup to limit viewing of some /dev files
>> Unnecessary in real-world application.
> lxc and lxd already limits which device nodes (block and char) allowed in
> the container.
> @T.C, what are your requirements/ideas that isn't already available in lxd?
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the lxc-users