diff --git a/_posts/2017-08-22-hardening-lxc-containers.md b/_posts/2017-08-22-hardening-lxc-containers.md index 5cb5722..eba4094 100644 --- a/_posts/2017-08-22-hardening-lxc-containers.md +++ b/_posts/2017-08-22-hardening-lxc-containers.md @@ -13,9 +13,9 @@ tags: - containers --- -[![LXC Logo](/assets/images/posts/harden-container.jpg)](https://www.flickr.com/photos/mr-rollers/32972266123/) +![A real container](/assets/images/posts/harden-container.jpg)
-*By Mr. Rollers. License CC BY-NC-ND 2.0* +*By [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). License CC BY-NC-ND 2.0*
@@ -33,6 +33,66 @@ If you feel a bit lost with all these terms, a good start is the reading of this ## Creating a standard LXC container +![A factory](/assets/images/posts/harden-factory.jpg) +
+*By [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). License CC BY-SA 2.0* +
+Before starting, you'll need a very recent version of LXC, at least lxc-2.0.9 (not yet released as of this writing). Fortunately, you can compile it from its master branch. We'll see later why we need a such recent version. +Here is a quick reminder on how to compile LXC: +```bash +git clone https://github.com/lxc/lxc +cd lxc +./autogen.sh +./configure +make -j8 +sudo make install +``` +Now let's create a basic container (we'll use Fedora but the instructions should work for every distributions): + +```bash +sudo lxc-create -n harden -t fedora +``` + +As you'll need to debug the launch of your container, I can only recommend you this command line : + +```bash +sudo lxc-start -n harden -lDEBUG -F +``` + +It will launch your container in foreground (so you'll be able to see systemd logs at boot) and it will log many useful informations in the `/var/log/lxc/harden.log` file. + +## cgroups: group your processes + +[Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition: + +> cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. + +It might not be totally clear at the first read, but cgroups are two differents things: + + 1. A method to create groups of processus + 2. A method to apply limitation, accounting, etc. on these groups + + + +If you want to read more on this, the article [Control Groups vs. Control Groups](http://0pointer.de/blog/projects/cgroups-vs-cgroups.html) by Lennart Poettering explains how systemd uses cgroups and why the distinction is crucial. + +## Namespaces: isolate your system resources + +Michael Kerrisk wrote an interesting [serie of articles about namespaces](https://lwn.net/Articles/531114/) on LWN. I find its definition of namespaces particularly interesting: + +> The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. + +At first glance, namespaces handle could appear trivial in LXC: every available namespaces are used and that's all. + +## Seccomp + +## Capabilities: split the root + +## Linux Security Modules (LSM) + +## Other + +prlimit diff --git a/assets/images/posts/harden-factory.jpg b/assets/images/posts/harden-factory.jpg new file mode 100644 index 0000000..6f8340f Binary files /dev/null and b/assets/images/posts/harden-factory.jpg differ