[lxc-users] LVM backend: Need to wipe blocks?
Linus Lüssing
linus.luessing at c0d3.blue
Thu Feb 8 20:13:26 UTC 2018
Hi!
A couple of days ago I managed to setup LXC with LXD, hurray!
And it works great so far, many thanks.
I have created and assigned an LVM thinpool volume to LXD. Now I'm
having a few questions regarding data access security:
1) Within the unprivileged container I see a mount point of a block
device to '/'. Are raw block accesses to this device from within
a container denied? Is it ensured that even the (mapped, inner)
root user will only access data on a file basis?
2) Any file created within the container will always contain data
created from within this container only? Say, the (mapped, inner)
root user will not be able to create a file which will then
suddenly contain data which was used in another, but now deleted
container or LVM volume?
3) Are LVM extents added to the thinnly provisioned volume wiped
before they are handed over to the container?
4) Are LVM extents which were deleted via the ext4 discard option
from within the container wiped before being added back to the
thinpool again?
Hope these questions are not too "amateurish". But I'm really
curious whether I'm making wrong assumptions on how LXD and LVM
work. Or if I were concerned about such security I'd must use a
normal and not thinnly provisioned LVM volume and would need
to wipe data manually before (re)assigning and resizing volumes.
Regards, Linus
More information about the lxc-users
mailing list