Thanks for this detailed information, Stéphane.
Well, it seems I'm heading towards Ubuntu :-)
Cheers,
JFL
Le 27/03/2013 20:14, Stéphane Graber a écrit :
On 03/27/2013 01:49 PM, Jean-François Leroux wrote:
Thanks for your input.
So basically, if I can define cgroup.limits, drop capabilities, etc. I
shall have about the same security as with Ubuntu ?
JFL
The main addition Ubuntu does to securing apparmor, outside of trying to
lead the work to get user namespaces is the apparmor integration.
You won't be able to get safe LXC containers if you don't have apparmor
support in your kernel and use something based on the apparmor profiles
we ship in Ubuntu.
Assuming that just using cgroup limits and dropping capabilities will
give you secure container is wrong, until we get user namespaces, you
need something like apparmor before you can call a container as safe.
I'm not sure what's the state of apparmor in Debian nowadays but last I
checked, LXC in Debian wasn't shipping with the apparmor integration.
Le 27/03/2013 01:32, Fajar A. Nugraha a écrit :
On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux
<leroux.jeanfranc...@gmail.com <mailto:leroux.jeanfranc...@gmail.com>>
wrote:
Hi all,
I'm rather new to LXC (although I've been using it for two years now)
and have some questions about security. I know many of these have been
discussed in various websites, but I'd like to get advice from real
users - and many articles I've read may be outdated.
1) I've read that lxc wasn't secure because anyone with root access on
the container might have access to the host. Is it true with ssh
access
(I mean no console)?
Distros like Ubuntu overcome that problem using cgroups limits,
capability drop, and apparmor. When setup properly (e.g. created using
default template with distro-bundled kernel and tools), AFAIK it
should be secure-enough.
Note that the above might not apply on manual installation. For
example, if you install lxc on top of Centos6 with custom kernel and
hand-made container config file.
2) Which capabilities would you drop for web servers were users have
www-data access?
No idea. The defaults works for me.
3) What are/would be the danger of running lxc in production servers?
I'd say it's roughly the same "danger" as running your production
servers on top any virtualization products.
Many thanks for your input. :-)
JFL
PS: I'm planning on running lxc (squeeze) containers inside debian
hosts.
I'd suggest Ubuntu instead. It's more integrated and easier. Of course
if you're familiar-enough and know how to make the necessary changes,
any distro will do.
--
Fajar
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
