Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

For years, I\'m now using OpenVZ on my server, but support discontinued for Debi

ID: 655983 • Letter: F

Question

For years, I'm now using OpenVZ on my server, but support discontinued for Debian and Ubuntu, current releases seem to focus on LXC now, which is not a bad idea from the point of comfort.

But what about security? I remember I read once that LXC doesn't provide the same level of process and container separation than OpenVZ does. Unfortunately, I cant find the document anymore, but I agree there might be some security issues at least in the default configuration of LXC. For example, with a completely customized rootfs I managed once (in an older version of LXC) to change the host's terminal from an LXC container using chvt 1 and pressing Ctrl+C ended in a restart of my X11 environment when I tried to reproduce it today. I know, all container solutions use the same kernel and a kernel hack can lead to a container breakout, that's not what I ask. But it shouldn't be that easy to influence the host or other containers from a container.

How much security can I expect from OpenVZ and LXC?

My server exposes some guest ports to the internet, so I really care about this aspect, but I have to make a decision because the currently used tools need to be upgraded. Using KVM or similar is not an option since my server has a low-performance CPU.

Explanation / Answer

One of the most new and most promising security technique specific to LXC is the usage of low-privileged containers, which is possible only thanks to the tight integration of LXC within the Linux kernel. It relies on user's namespaces which allows the users within the LXC to be seen as some kind of "sub-users" from the container owner.

If the container owner is root, as it is required for most containers-like systems, this will not change anything in terms of security (or at least noticeably). However, the "magic" here is that the container can be owned by a unprivileged user, and in this case the container's root user will have the same privilege on the system as the container's owner, ie. the unprivileged user.

Related Questions

For which of the following reactions would the entropy of reaction (S°rxn) be po
Question #501308
For which of the following research situations is an independent t-test most lik
Question #3320204
For which of the following scenarios would it be appropriate to use analysis of
Question #3050131
For which of the following situations is the dependent groups t-test appropriate
Question #3063284
For which of the following situations is the independent groups t-test appropria
Question #3063283
For which of the following situations would a repeated-measures design have the
Question #3370188
For which of the following situations would an independent-samples (between-subj
Question #3371948
For which of the following systems at equilibrium and at constant temperature wi
Question #1051569
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
For years, I have been doing Algorithmic stuff, writing scalable data structures
Next
For years, Japan has been relatively closed to significant foreign direct invest

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.