[lxc-users] More secure container

T.C 吳天健 tcwu2005 at gmail.com
Wed May 10 06:33:55 UTC 2017


Fajar and Andrey,

I run lxc-1.0 on embedded system and I don't have lxd on that platform.
(i.e. I cross-compile lxc-1.0 from scratch no prebuild package available).
And yes I run container with root privilege .

Can I have your mentioned features "use separate u/gid range for each
container" and "limits which device nodes (block and char) allowed in the
container" without existence of lxd?

TC WU

2017-05-10 11:24 GMT+08:00 Fajar A. Nugraha <list at fajar.net>:

> On Wed, May 10, 2017 at 4:22 AM, Andrey Repin <anrdaemon at yandex.ru> wrote:
>
>> Greetings, T.C 吳天健!
>>
>> > Its said privileged container is unsecured . For example, if a user in
>> the
>> > container (suppose it's running a service toward the public) hack the
>> system
>> > with some kind of root kit.
>>
>> This is not specifically correct. The road to compromising the container
>> is
>> rather thorny.
>> Even if container is privileged and the container owner has root access
>> inside
>> the container, gaining any host advantage would be hard if not impossible,
>> unless the host configuration is far from sane.
>>
>> > I am thinking of building a more secure container.  The first idea is to
>> > use unprivileged container;  Second is apply cgroup to limit viewing of
>> some
>> > sensitive /dev files, and any recommendation?
>>
>> LXD by default is "secure" in sense that even if container is
>> compromised, the
>> effective UID the container user is running from has no rights on the
>> host.
>>
>>
> ... and there's also the option in lxd to use separate u/gid range for
> each container (by default all unpriv lxd containers share the same u/gid
> range).
>
>
>
>> > Summary
>> > -use unprivileged container
>>
>> Right.
>>
>> > -cgroup to limit viewing of some /dev files
>>
>> Unnecessary in real-world application.
>>
>>
> lxc and lxd already limits which device nodes (block and char) allowed in
> the container.
>
> @T.C, what are your requirements/ideas that isn't already available in lxd?
>
> --
> Fajar
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170510/a93815b3/attachment.html>


More information about the lxc-users mailing list