Where are lxc containers security borderlines?

lxc

My question is around the security of an LXC container.

If I am running multiple containers on my box, and give users a separate ssh access to their owned container, can any of those container hack into the other containers on that box or the even the host machine?

Where are lxc containers security borderlines?


Solution 1:

As I have seen about LXC It stores container information and (with the default backing store) root filesystems under /var/lib/lxc. Container creation templates also tend to store cached distribution information under /var/cache/lxc.

So Generally access to root filesystem only allowed to admin unless there is a misusage or wrong configuration user profiles while creating them.

But Ubuntu Developers may already came to this point and they have provided a secure solution with the help of AppArmor.

LXC ships with an Apparmor profile intended to protect the host from accidental misuses of privilege inside the container. For instance, the container will not be able to write to /proc/sysrq-trigger or to most /sys files.

The usr.bin.lxc-start profile is entered by running lxc-start. This profile mainly prevents lxc-start from mounting new filesystems outside of the container's root filesystem. Before executing the container's init, LXC requests a switch to the container's profile. By default, this profile is the lxc-container-default policy which is defined in /etc/apparmor.d/lxc/lxc-default. This profile prevents the container from accessing many dangerous paths, and from mounting most filesystems.

If you find that lxc-start is failing due to a legitimate access which is being denied by its Apparmor policy, you can disable the lxc-start profile by doing:

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/

This will make lxc-start run unconfined, but continue to confine the container itself. If you also wish to disable confinement of the container, then in addition to disabling the usr.bin.lxc-start profile, you must add:

lxc.aa_profile = unconfined

to the container's configuration file. If you wish to run a container in a custom profile, you can create a new profile under /etc/apparmor.d/lxc/. Its name must start with lxc- in order for lxc-start to be allowed to transition to that profile. After creating the policy, load it using:

sudo apparmor_parser -r /etc/apparmor.d/lxc-containers

The profile will automatically be loaded after a reboot, because it is sourced by the file /etc/apparmor.d/lxc-containers. Finally, to make container CN use this new lxc-CN-profile, add the following line to its configuration file:

lxc.aa_profile = lxc-CN-profile

lxc-execute does not enter an Apparmor profile, but the container it spawns will be confined.

Related

Is it 100% safe to rename a file while it's being written?
Xubuntu 13.04 X Login Loop
No bluetooth icon on top bar
tomcat7's CATALINA_HOME in Debian/Ubuntu
How to Triforce on /b/ on ubuntu
Enable/Disable Ubuntu Desktop environment on ubuntu-12.04.1-server-i386
Why does my hostname contain odd characters?
Changing opacity of inactive windows in KDE
Manually Uninstall GDAL
How could one really get sensitive information from a swap partition?
QML: Simplest way to write to a text file?
How to use Xvfb in Ubuntu 14.04 with/without RandR?