Re: [Lxc-users] Lxc and security

Tue, 26 Mar 2013 18:27:25 -0700 

On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux <
leroux.jeanfranc...@gmail.com> wrote:

> Hi all,
> I'm rather new to LXC (although I've been using it for two years now)
> and have some questions about security. I know many of these have been
> discussed in various websites, but I'd like to get advice from real
> users - and many articles I've read may be outdated.
>
> 1) I've read that lxc wasn't secure because anyone with root access on
> the container might have access to the host. Is it true with ssh access
> (I mean no console)?
>

Distros like Ubuntu overcome that problem using cgroups limits, capability
drop, and apparmor. When setup properly (e.g. created using default
template with distro-bundled kernel and tools), AFAIK it should be
secure-enough.

Note that the above might not apply on manual installation. For example, if
you install lxc on top of Centos6 with custom kernel and hand-made
container config file.


> 2) Which capabilities would you drop for web servers were users have
> www-data access?
>

No idea. The defaults works for me.


> 3) What are/would be the danger of running lxc in production servers?
>
>
I'd say it's roughly the same "danger" as running your production servers
on top any virtualization products.


> Many thanks for your input. :-)
>
> JFL
>
> PS: I'm planning on running lxc (squeeze) containers inside debian hosts.
>
>
I'd suggest Ubuntu instead. It's more integrated and easier. Of course if
you're familiar-enough and know how to make the necessary changes, any
distro will do.

-- 
Fajar

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to