Differences between revisions 15 and 16
Revision 15 as of 2018-01-09 16:57:34
Size: 2164
Editor: risca
Comment:
Revision 16 as of 2019-03-28 19:24:16
Size: 2437
Editor: risca
Comment:
Deletions are marked like this. Additions are marked like this.
Line 37: Line 37:
Be careful to unexpected severe bugs. For examples:
 * CVE-2019-5736: runc container breakout: [[https://lwn.net/Articles/779542/]] [[https://brauner.github.io/2019/02/12/privileged-containers.html]] [[https://aws.amazon.com/security/security-bulletins/AWS-2019-002/]]

Creazione containers

Configurazione LXC

Gestione rete

server

Systemd-networkd is not compatible with lxc-net. Use only one out of two.

At time of writing lxc-net needs full control over its bridge interface1. The easiest and ugliest is lxc-net, for better usage try to substitute it with systemd units.

lxc-net

Compile /etc/default/lxc-net, then /etc/network/interfaces (at leat lxcbr0 is required).

client

Sul guest, in /etc/network/interfaces

auto eth0
iface eth0 inet manual

Sul file di configurazione lxc:

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = 4a:49:43:49:79:bf
lxc.network.ipv4 = 10.0.3.102/24
lxc.network.ipv4.gateway = 10.0.3.1

Sicurezza

Da wheezy in avanti è necessario passare da OpenVZ a LXC, anche se forse su wheezy non raggiungerà mai lo stesso grado di maturità di OpenVZ, sicurezza compresa2.

Si consiglia comunque di:

  • eseguire LXC come utente non privilegiato3

  • utilizzare Apparmor4 (SELinux)

  • utilizzare seccomp

Be careful to unexpected severe bugs. For examples:

Immagini guest

Download

Elenco immagini disponibili:

/usr/share/lxc/templates/lxc-download -l

Davvero minimale, probabilmente utile su debian:

apt-get install aptitude
aptitude install ~pimportant
aptitude install ~prequired
aptitude install ~pstandard

Warning on guests

Jessie

On jessie be warn about systemd incompatibility. For infos:

note

  1. By default lxc-net, if the bridge interface already exists (see code), stop it and exits with error (1)

  2. Giudizio di mattonclud sullo stato di sicurezza al 2012 (2)

  3. https://linuxcontainers.org/lxc/security/ (3)

  4. https://wiki.debian.org/AppArmor/HowToUse (4)

MyWiki: LXC (last edited 2019-03-28 19:24:16 by risca)