On Sun, Jun 17, 2012 at 11:46 AM, cheetah <xuw...@gmail.com> wrote: > Hi guys, > > I am a newbie to lxc and preparing to deploy it in my production environment > to give each user a container. I have the following two concerns now. > > 1. Can user load kernel modules in the guest container without influencing > the host kernel or other container's kernel? As far as I understand, all the > lxc containers share the same kernel of the host. So I am wondering if this > is possible?
He can if the user is root and has the proper capability. But then your are screwed. > 2. Or how is the container's security isolation? Can I give user root access > in the container? Is there any hack that he/she can use root in the > container to attack the host or other containers? For now it's not recommend. The user namespace is not complete. Eric is working in that. IOW in hostile hosting environments LXC is not a good idea. That may be change in 3.6. -- Thanks, //richard ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
