Richard, thanks a lot for the clear answer. ;p. Would you recommend openvz
if it is a hostile environment? What is the answer to the above two
questions if it is openvz?
Regards,
Peter
On Sun, Jun 17, 2012 at 6:09 PM, richard -rw- weinberger <
richard.weinber...@gmail.com> wrote:
> On Sun, Jun 17, 2012 at 11:46 AM, cheetah <xuw...@gmail.com> wrote:
> > Hi guys,
> >
> > I am a newbie to lxc and preparing to deploy it in my production
> environment
> > to give each user a container. I have the following two concerns now.
> >
> > 1. Can user load kernel modules in the guest container without
> influencing
> > the host kernel or other container's kernel? As far as I understand, all
> the
> > lxc containers share the same kernel of the host. So I am wondering if
> this
> > is possible?
>
> He can if the user is root and has the proper capability.
> But then your are screwed.
>
> > 2. Or how is the container's security isolation? Can I give user root
> access
> > in the container? Is there any hack that he/she can use root in the
> > container to attack the host or other containers?
>
> For now it's not recommend.
> The user namespace is not complete.
> Eric is working in that.
>
> IOW in hostile hosting environments LXC is not a good idea.
> That may be change in 3.6.
>
> --
> Thanks,
> //richard
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
