[one-dev] OpenNebula LXC Addon
Valentin Bud
valentin at databus.pro
Wed Oct 30 02:18:18 PDT 2013
Hi Carlo,
I agree that *substantial* effort needs to be made in order to provide a
secure LXC infrastructure. I have also read the articles you've
provided. I haven't tested the exploit mentioned in mattoncloud.org's
article yet.
I also find interesting the docker IO PaaS, have read quite a lot about LXC
on their blog.
Is UID/GID mapping [1] helping in secure an LXC container? I think it
would because then the container's root user would map to an
unprivileged user on the host. What do you think about this?
I think that LXC fits nicely in a Private Cloud. I wouldn't give
out LXC containers to users of a Public Cloud though.
[1]: http://s3hh.wordpress.com/2012/05/10/user-namespaces-available-to-play/
Good Will,
Valentin
On Mon, Oct 28, 2013 at 05:00:53PM +0100, Carlo Daffara wrote:
> On one hand, LXC has still some complexities in providing strong security (eg.
> http://mattoncloud.org/2012/07/16/are-lxc-containers-enough/ or
> http://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS )
> which means that you need to add substantial infrastructure to prevent LXC leaks or container spills.
> As it stands, on most distributions, OpenVZ has much stronger containment properties than LXC, unless you want to spend
> *substantial* effort in closing the gaps.
> On the other hand, LXC is the basis of Docker ( https://www.docker.io/ ) that is quite interesting as a platform, managed
> within an IaaS infrastructure, but lightweight and flexible like a PaaS.
> Cheers,
> Carlo Daffara
> CloudWeavers
>
> ----- Messaggio originale -----
> Da: knawnd at gmail.com
> A: dev at lists.opennebula.org
> Inviato: Lunedì, 28 ottobre 2013 16:51:44
> Oggetto: Re: [one-dev] OpenNebula LXC Addon
>
> Hello!
>
> If there is nostrong demand to use particular LXC then I would propose
> to have a look at such LXC alternative in terms of OS level
> virtualization as OpenVZ [1]and OpenVZ driver for OpenNebula 4.2 [2].
>
> Regards,
> Nikolay.
>
> [1] http://openvz.org
> [2] https://bitbucket.org/hpcc_kpi/opennebula-openvz/wiki/Home
>
> Simon Boulet wrote on 28/10/13 19:42:
> > Hi Valentin, James,
> >
> > On Sat, Oct 26, 2013 at 7:12 AM, Jaime Melis <jmelis at opennebula.org> wrote:
> >> thanks a lot for the detailed recap of the opennebula-lxc situation! I'm
> >> personally very interested in making lxc work with OpenNebula.
> > I'm very interested in the LXC driver development as well. I don't
> > have a lot of spare time at the moment though, but let me know if I
> > can help.
> >
> > From what I know of the OpenNebula XML representation passed to the
> > drivers it should be enough for implementing a LXC driver, at least
> > for the basic functionality.
> >
> >> There are also a lot of security considerations which I have not brought
> >> in the discussion just yet. I have to do some more reading on this topic.
> > One major concern I had 1-2 years ago when I looked at LXC was that it
> > was possible for any root user inside a container to escape the
> > container and gain root on the host as well [1][2]. I'm not sure of
> > the status of these issues in LXC, but I've heard you can use SELinux
> > to further limit LXC containers and prevent this.
> >
> > [1] http://blog.bofh.it/debian/id_413
> > [2] http://seclists.org/oss-sec/2011/q4/158
> >
> > Simon
> > _______________________________________________
> > Dev mailing list
> > Dev at lists.opennebula.org
> > http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
>
> _______________________________________________
> Dev mailing list
> Dev at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
> _______________________________________________
> Dev mailing list
> Dev at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
More information about the Dev
mailing list