Re: [Lxc-users] Network interface isolation

Mon, 14 May 2012 22:15:31 -0700 

On Tue, May 15, 2012 at 10:22 AM, jeetu.gol...@gmail.com
<jeetu.gol...@gmail.com> wrote:
> Hi Fajar,
>
> Thanks for your response.
>
> I used the debian template and the config file does not (as far as I
> can tell) have any network related stanzas. Unfortunately this default
> behaviour lead to the network stack being shared between the host and
> the container as pointed out by Matthijs.

In Ubuntu host at least, AFAIK using lxc templates will include
network configuration from /etc/lxc/lxc.conf, which includes these
lines

lxc.network.type=veth
lxc.network.link=lxcbr0
lxc.network.flags=up

>
> Therefore, I was wondering if there are any other namespaces I should
> explicitly isolate so as to prevent them being inadvertently shared
> between host and container.

Again, the resulting config file provides a good starting point. On
ubuntu precise host, using ubuntu template denies ALL devices (which
should include host's eth) from the guest container except from ones
specifically allowed

#==========
lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
#fuse
lxc.cgroup.devices.allow = c 10:229 rwm
#tun
lxc.cgroup.devices.allow = c 10:200 rwm
#full
lxc.cgroup.devices.allow = c 1:7 rwm
#hpet
lxc.cgroup.devices.allow = c 10:228 rwm
#kvm
lxc.cgroup.devices.allow = c 10:232 rwm
#==================

-- 
Fajar

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to