[one-dev] OpenNebula LXC Addon

Valentin Bud valentin at databus.pro
Thu Oct 31 02:13:40 PDT 2013


Hello everyone,

I have been reading the docker.io blog post about how secure LXC
containers are [1].

The base LXC template they use [2] drops a lot of capabilities [3].

As a security improvement they plan to map the root user of a container
to a non-root user of the host using the new user namespace. 

I find the docker.io guys courageous in that they provide public LXC
containers :-).

[1]: http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/
[2]: https://github.com/dotcloud/docker/blob/v0.5.0/lxc_template.go#L97
[3]: http://man7.org/linux/man-pages/man7/capabilities.7.html

Good Will,
Valentin Bud
databus.pro

On Wed, Oct 30, 2013 at 11:18:18AM +0200, Valentin Bud wrote:
> Hi Carlo,
> 
> I agree that *substantial* effort needs to be made in order to provide a
> secure LXC infrastructure. I have also read the articles you've
> provided. I haven't tested the exploit mentioned in mattoncloud.org's
> article yet.
> 
> I also find interesting the docker IO PaaS, have read quite a lot about LXC
> on their blog.
> 
> Is UID/GID mapping [1] helping in secure an LXC container? I think it
> would because then the container's root user would map to an
> unprivileged user on the host. What do you think about this?
> 
> I think that LXC fits nicely in a Private Cloud. I wouldn't give
> out LXC containers to users of a Public Cloud though.
> 
> [1]: http://s3hh.wordpress.com/2012/05/10/user-namespaces-available-to-play/
> 
> Good Will,
> Valentin
> 
> On Mon, Oct 28, 2013 at 05:00:53PM +0100, Carlo Daffara wrote:
> > On one hand, LXC has still some complexities in providing strong security (eg. 
> > http://mattoncloud.org/2012/07/16/are-lxc-containers-enough/ or
> > http://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS )
> > which means that you need to add substantial infrastructure to prevent LXC leaks or container spills.
> > As it stands, on most distributions, OpenVZ has much stronger containment properties than LXC, unless you want to spend
> > *substantial* effort in closing the gaps.
> > On the other hand, LXC is the basis of Docker ( https://www.docker.io/ ) that is quite interesting as a platform, managed
> > within an IaaS infrastructure, but lightweight and flexible like a PaaS.
> > Cheers,
> > Carlo Daffara
> > CloudWeavers
> > 
> > ----- Messaggio originale -----
> > Da: knawnd at gmail.com
> > A: dev at lists.opennebula.org
> > Inviato: Lunedì, 28 ottobre 2013 16:51:44
> > Oggetto: Re: [one-dev] OpenNebula LXC Addon
> > 
> > Hello!
> > 
> > If there is nostrong demand to use particular LXC then I would propose 
> > to have a look at such LXC alternative in terms of OS level 
> > virtualization as OpenVZ [1]and OpenVZ driver for OpenNebula 4.2 [2].
> > 
> > Regards,
> > Nikolay.
> > 
> > [1] http://openvz.org
> > [2] https://bitbucket.org/hpcc_kpi/opennebula-openvz/wiki/Home
> > 
> > Simon Boulet wrote on 28/10/13 19:42:
> > > Hi Valentin, James,
> > >
> > > On Sat, Oct 26, 2013 at 7:12 AM, Jaime Melis <jmelis at opennebula.org> wrote:
> > >> thanks a lot for the detailed recap of the opennebula-lxc situation! I'm
> > >> personally very interested in making lxc work with OpenNebula.
> > > I'm very interested in the LXC driver development as well. I don't
> > > have a lot of spare time at the moment though, but let me know if I
> > > can help.
> > >
> > >  From what I know of the OpenNebula XML representation passed to the
> > > drivers it should be enough for implementing a LXC driver, at least
> > > for the basic functionality.
> > >
> > >> There are also a lot of security considerations which I have not brought
> > >> in the discussion just yet. I have to do some more reading on this topic.
> > > One major concern I had 1-2 years ago when I looked at LXC was that it
> > > was possible for any root user inside a container to escape the
> > > container and gain root on the host as well [1][2]. I'm not sure of
> > > the status of these issues in LXC, but I've heard you can use SELinux
> > > to further limit LXC containers and prevent this.
> > >
> > > [1] http://blog.bofh.it/debian/id_413
> > > [2] http://seclists.org/oss-sec/2011/q4/158
> > >
> > > Simon
> > > _______________________________________________
> > > Dev mailing list
> > > Dev at lists.opennebula.org
> > > http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
> > 
> > _______________________________________________
> > Dev mailing list
> > Dev at lists.opennebula.org
> > http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
> > _______________________________________________
> > Dev mailing list
> > Dev at lists.opennebula.org
> > http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
> _______________________________________________
> Dev mailing list
> Dev at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org



More information about the Dev mailing list