[one-dev] OpenNebula LXC Addon
Valentin Bud
valentin at databus.pro
Thu Oct 31 02:13:40 PDT 2013
Hello everyone,
I have been reading the docker.io blog post about how secure LXC
containers are [1].
The base LXC template they use [2] drops a lot of capabilities [3].
As a security improvement they plan to map the root user of a container
to a non-root user of the host using the new user namespace.
I find the docker.io guys courageous in that they provide public LXC
containers :-).
[1]: http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/
[2]: https://github.com/dotcloud/docker/blob/v0.5.0/lxc_template.go#L97
[3]: http://man7.org/linux/man-pages/man7/capabilities.7.html
Good Will,
Valentin Bud
databus.pro
On Wed, Oct 30, 2013 at 11:18:18AM +0200, Valentin Bud wrote:
> Hi Carlo,
>
> I agree that *substantial* effort needs to be made in order to provide a
> secure LXC infrastructure. I have also read the articles you've
> provided. I haven't tested the exploit mentioned in mattoncloud.org's
> article yet.
>
> I also find interesting the docker IO PaaS, have read quite a lot about LXC
> on their blog.
>
> Is UID/GID mapping [1] helping in secure an LXC container? I think it
> would because then the container's root user would map to an
> unprivileged user on the host. What do you think about this?
>
> I think that LXC fits nicely in a Private Cloud. I wouldn't give
> out LXC containers to users of a Public Cloud though.
>
> [1]: http://s3hh.wordpress.com/2012/05/10/user-namespaces-available-to-play/
>
> Good Will,
> Valentin
>
> On Mon, Oct 28, 2013 at 05:00:53PM +0100, Carlo Daffara wrote:
> > On one hand, LXC has still some complexities in providing strong security (eg.
> > http://mattoncloud.org/2012/07/16/are-lxc-containers-enough/ or
> > http://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS )
> > which means that you need to add substantial infrastructure to prevent LXC leaks or container spills.
> > As it stands, on most distributions, OpenVZ has much stronger containment properties than LXC, unless you want to spend
> > *substantial* effort in closing the gaps.
> > On the other hand, LXC is the basis of Docker ( https://www.docker.io/ ) that is quite interesting as a platform, managed
> > within an IaaS infrastructure, but lightweight and flexible like a PaaS.
> > Cheers,
> > Carlo Daffara
> > CloudWeavers
> >
> > ----- Messaggio originale -----
> > Da: knawnd at gmail.com
> > A: dev at lists.opennebula.org
> > Inviato: Lunedì, 28 ottobre 2013 16:51:44
> > Oggetto: Re: [one-dev] OpenNebula LXC Addon
> >
> > Hello!
> >
> > If there is nostrong demand to use particular LXC then I would propose
> > to have a look at such LXC alternative in terms of OS level
> > virtualization as OpenVZ [1]and OpenVZ driver for OpenNebula 4.2 [2].
> >
> > Regards,
> > Nikolay.
> >
> > [1] http://openvz.org
> > [2] https://bitbucket.org/hpcc_kpi/opennebula-openvz/wiki/Home
> >
> > Simon Boulet wrote on 28/10/13 19:42:
> > > Hi Valentin, James,
> > >
> > > On Sat, Oct 26, 2013 at 7:12 AM, Jaime Melis <jmelis at opennebula.org> wrote:
> > >> thanks a lot for the detailed recap of the opennebula-lxc situation! I'm
> > >> personally very interested in making lxc work with OpenNebula.
> > > I'm very interested in the LXC driver development as well. I don't
> > > have a lot of spare time at the moment though, but let me know if I
> > > can help.
> > >
> > > From what I know of the OpenNebula XML representation passed to the
> > > drivers it should be enough for implementing a LXC driver, at least
> > > for the basic functionality.
> > >
> > >> There are also a lot of security considerations which I have not brought
> > >> in the discussion just yet. I have to do some more reading on this topic.
> > > One major concern I had 1-2 years ago when I looked at LXC was that it
> > > was possible for any root user inside a container to escape the
> > > container and gain root on the host as well [1][2]. I'm not sure of
> > > the status of these issues in LXC, but I've heard you can use SELinux
> > > to further limit LXC containers and prevent this.
> > >
> > > [1] http://blog.bofh.it/debian/id_413
> > > [2] http://seclists.org/oss-sec/2011/q4/158
> > >
> > > Simon
> > > _______________________________________________
> > > Dev mailing list
> > > Dev at lists.opennebula.org
> > > http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
> >
> > _______________________________________________
> > Dev mailing list
> > Dev at lists.opennebula.org
> > http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
> > _______________________________________________
> > Dev mailing list
> > Dev at lists.opennebula.org
> > http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
> _______________________________________________
> Dev mailing list
> Dev at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
More information about the Dev
mailing list