Re: [Lxc-users] Lxc and security

Wed, 27 Mar 2013 10:51:56 -0700 

Thanks for your input.
So basically, if I can define cgroup.limits, drop capabilities, etc. I shall have about the same security as with Ubuntu ? 

JFL


Le 27/03/2013 01:32, Fajar A. Nugraha a écrit :

On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux 
<leroux.jeanfranc...@gmail.com <mailto:leroux.jeanfranc...@gmail.com>> 
wrote:


    Hi all,
    I'm rather new to LXC (although I've been using it for two years now)
    and have some questions about security. I know many of these have been
    discussed in various websites, but I'd like to get advice from real
    users - and many articles I've read may be outdated.

    1) I've read that lxc wasn't secure because anyone with root access on
    the container might have access to the host. Is it true with ssh
    access
    (I mean no console)?



Distros like Ubuntu overcome that problem using cgroups limits, 
capability drop, and apparmor. When setup properly (e.g. created using 
default template with distro-bundled kernel and tools), AFAIK it 
should be secure-enough.



Note that the above might not apply on manual installation. For 
example, if you install lxc on top of Centos6 with custom kernel and 
hand-made container config file.


    2) Which capabilities would you drop for web servers were users have
    www-data access?


No idea. The defaults works for me.

    3) What are/would be the danger of running lxc in production servers?



I'd say it's roughly the same "danger" as running your production 
servers on top any virtualization products.


    Many thanks for your input. :-)

    JFL

    PS: I'm planning on running lxc (squeeze) containers inside debian
    hosts.



I'd suggest Ubuntu instead. It's more integrated and easier. Of course 
if you're familiar-enough and know how to make the necessary changes, 
any distro will do.


--
Fajar



------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users






















					Reply via email to