On 12-09-13 06:56 PM, Stuart Yoder wrote: >> I would not use lxc for shared vps setup (like openvz) at this moment >> due to some unsolved security issues. > > I've seen security issues with lxc mentioned in a few places, but nothing > very specific (one thing specific was something to do with /proc > filtering). (I've googled a bit, but it's hard to tell what is up to date) > > Is there a summary anywhere of potential security issues with LXC? > > Stuart
Serge wrote an overview of LXC security when working on Ubuntu 12.04 LTS: https://wiki.ubuntu.com/LxcSecurity Most of the points on there have been handled the best way we can by using apparmor, if you're not using Ubuntu with apparmor, all of these points are still very real issues. Some other distros are trying to drop as many capabilities at container boot time, it's however pretty difficult to get something usable without having to compromise on some capabilities that essentially would let an attacker get back to full root. The way forward is the use of the user namespaces which are still slowly making their way into the mainline kernel. Once fully implemented, we'll be able to start LXC containers as non-privileged users (except for some glue running as root) which will automatically fix all the issues listed on that wiki page. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
