forked from quentin/quentin.dufour.io
WIP 2 hardening LXC
This commit is contained in:
parent
acae001b47
commit
5ac363f2b8
2 changed files with 62 additions and 2 deletions
|
@ -13,9 +13,9 @@ tags:
|
|||
- containers
|
||||
---
|
||||
|
||||
[![LXC Logo](/assets/images/posts/harden-container.jpg)](https://www.flickr.com/photos/mr-rollers/32972266123/)
|
||||
![A real container](/assets/images/posts/harden-container.jpg)
|
||||
<div style="font-size: 12px; text-align:center; margin-top:-20px">
|
||||
*By Mr. Rollers. License CC BY-NC-ND 2.0*
|
||||
*By [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). License CC BY-NC-ND 2.0*
|
||||
</div>
|
||||
|
||||
|
||||
|
@ -33,6 +33,66 @@ If you feel a bit lost with all these terms, a good start is the reading of this
|
|||
|
||||
## Creating a standard LXC container
|
||||
|
||||
![A factory](/assets/images/posts/harden-factory.jpg)
|
||||
<div style="font-size: 12px; text-align:center; margin-top:-20px">
|
||||
*By [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). License CC BY-SA 2.0*
|
||||
</div>
|
||||
|
||||
Before starting, you'll need a very recent version of LXC, at least lxc-2.0.9 (not yet released as of this writing). Fortunately, you can compile it from its master branch. We'll see later why we need a such recent version.
|
||||
Here is a quick reminder on how to compile LXC:
|
||||
|
||||
```bash
|
||||
git clone https://github.com/lxc/lxc
|
||||
cd lxc
|
||||
./autogen.sh
|
||||
./configure
|
||||
make -j8
|
||||
sudo make install
|
||||
```
|
||||
|
||||
Now let's create a basic container (we'll use Fedora but the instructions should work for every distributions):
|
||||
|
||||
```bash
|
||||
sudo lxc-create -n harden -t fedora
|
||||
```
|
||||
|
||||
As you'll need to debug the launch of your container, I can only recommend you this command line :
|
||||
|
||||
```bash
|
||||
sudo lxc-start -n harden -lDEBUG -F
|
||||
```
|
||||
|
||||
It will launch your container in foreground (so you'll be able to see systemd logs at boot) and it will log many useful informations in the `/var/log/lxc/harden.log` file.
|
||||
|
||||
## cgroups: group your processes
|
||||
|
||||
[Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
|
||||
|
||||
> cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
|
||||
|
||||
It might not be totally clear at the first read, but cgroups are two differents things:
|
||||
|
||||
1. A method to create groups of processus
|
||||
2. A method to apply limitation, accounting, etc. on these groups
|
||||
|
||||
<span></span>
|
||||
|
||||
If you want to read more on this, the article [Control Groups vs. Control Groups](http://0pointer.de/blog/projects/cgroups-vs-cgroups.html) by Lennart Poettering explains how systemd uses cgroups and why the distinction is crucial.
|
||||
|
||||
## Namespaces: isolate your system resources
|
||||
|
||||
Michael Kerrisk wrote an interesting [serie of articles about namespaces](https://lwn.net/Articles/531114/) on LWN. I find its definition of namespaces particularly interesting:
|
||||
|
||||
> The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
|
||||
|
||||
At first glance, namespaces handle could appear trivial in LXC: every available namespaces are used and that's all.
|
||||
|
||||
## Seccomp
|
||||
|
||||
## Capabilities: split the root
|
||||
|
||||
## Linux Security Modules (LSM)
|
||||
|
||||
## Other
|
||||
|
||||
prlimit
|
||||
|
|
BIN
assets/images/posts/harden-factory.jpg
Normal file
BIN
assets/images/posts/harden-factory.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 498 KiB |
Loading…
Reference in a new issue