On Wed, Mar 2, 2016 at 2:37 PM, Ingo Baab <[email protected]> wrote: > Hello LXC-Users, > > I just started to experiment with LXC/LXD and now I am looking for a good > starting point (some kind of "cookbook") to get UN-priviledged containers > managed. I am a little confused by lxc versus the (older?) lxc-* commands. > Are they "different systems"? How are they related?
The legacy lxc-* utilities are a separate system. In my opinion the "lxc" command is very, VERY poorly named, because it actually serves as a client for lxd, which is a userspace layer on top of the base lxc (which is built on a whole set of kernel features, and some very low level support). I'd call it lxd-client or lxdc or something *other than* "lxc", unless the long-term plan is to deprecate all the lxc userspace utilities in favor of lxd's client utility and subsume lxd into the lxc project as the supported way forward. The legacy utilities manage container storage and metadata differently than the lxd system does. The data is in different directories and stored in incompatible formats. > > I need: > - A Cookbook for securing LXC The cookbook for securing LXC is basically to use *LXD* (through, confusingly, the lxc command) and run unprivileged containers. In theory, the latest version of LXD on an OS with it fully integrated into the distro (like the upcoming Ubuntu 16.04) should be pretty secure. ...Though if production-grade, multi-tenant boxes where the tenants are mutually untrusting is part of your use case, you might want to seriously consider holding off on lxd until at least a few CVEs have been filed against it. Given the codebase size, probability favors at least a few vulns that will probably be shaken out over time. > - How are (the older) lxc-* and lxc/lxd related? > > Thynk you in advance, > Ingo Baab > > _____ > Already read here and there.. > https://wiki.ubuntu.com/LxcSecurity > https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-security > https://linuxcontainers.org/lxc/security/ > https://www.sans.org/reading-room/whitepapers/linux/securing-linux-containers-36142 > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
