On 03/27/2013 01:49 PM, Jean-François Leroux wrote: > Thanks for your input. > So basically, if I can define cgroup.limits, drop capabilities, etc. I > shall have about the same security as with Ubuntu ? > > JFL
The main addition Ubuntu does to securing apparmor, outside of trying to lead the work to get user namespaces is the apparmor integration. You won't be able to get safe LXC containers if you don't have apparmor support in your kernel and use something based on the apparmor profiles we ship in Ubuntu. Assuming that just using cgroup limits and dropping capabilities will give you secure container is wrong, until we get user namespaces, you need something like apparmor before you can call a container as safe. I'm not sure what's the state of apparmor in Debian nowadays but last I checked, LXC in Debian wasn't shipping with the apparmor integration. > Le 27/03/2013 01:32, Fajar A. Nugraha a écrit : >> On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux >> <leroux.jeanfranc...@gmail.com <mailto:leroux.jeanfranc...@gmail.com>> >> wrote: >> >> Hi all, >> I'm rather new to LXC (although I've been using it for two years now) >> and have some questions about security. I know many of these have been >> discussed in various websites, but I'd like to get advice from real >> users - and many articles I've read may be outdated. >> >> 1) I've read that lxc wasn't secure because anyone with root access on >> the container might have access to the host. Is it true with ssh >> access >> (I mean no console)? >> >> >> Distros like Ubuntu overcome that problem using cgroups limits, >> capability drop, and apparmor. When setup properly (e.g. created using >> default template with distro-bundled kernel and tools), AFAIK it >> should be secure-enough. >> >> Note that the above might not apply on manual installation. For >> example, if you install lxc on top of Centos6 with custom kernel and >> hand-made container config file. >> >> >> 2) Which capabilities would you drop for web servers were users have >> www-data access? >> >> >> No idea. The defaults works for me. >> >> >> 3) What are/would be the danger of running lxc in production servers? >> >> >> I'd say it's roughly the same "danger" as running your production >> servers on top any virtualization products. >> >> >> Many thanks for your input. :-) >> >> JFL >> >> PS: I'm planning on running lxc (squeeze) containers inside debian >> hosts. >> >> >> I'd suggest Ubuntu instead. It's more integrated and easier. Of course >> if you're familiar-enough and know how to make the necessary changes, >> any distro will do. >> >> -- >> Fajar > > > > ------------------------------------------------------------------------------ > Own the Future-Intel® Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. > Compete for recognition, cash, and the chance to get your game > on Steam. $5K grand prize plus 10 genre and skill prizes. > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > > > > _______________________________________________ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users > -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
