diff --git a/_posts/2017-08-22-hardening-lxc-containers.md b/_posts/2017-08-22-hardening-lxc-containers.md
index eba4094..caec1d9 100644
--- a/_posts/2017-08-22-hardening-lxc-containers.md
+++ b/_posts/2017-08-22-hardening-lxc-containers.md
@@ -4,7 +4,7 @@ slug: hardening-lxc-containers-running-systemd
status: draft
sitemap: true
title: Hardening LXC containers running systemd
-description: Especially with systemd in the equation
+description: An epic trying to drop CAP\_SYS\_ADMIN
disqus: false
categories:
tags:
@@ -15,10 +15,9 @@ tags:
-*By [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). License CC BY-NC-ND 2.0*
+*A container. Photo by [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). CC BY-NC-ND 2.0*
-
Hardening Linux Containers, and more especially [LXC containers](https://linuxcontainers.org/fr/lxc/introduction/), is needed to prevent a malicious user to escape your container. But before starting, we need to understand how containers work under the hood.
As said by Jessie Frazelle in her blog post [Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs](https://blog.jessfraz.com/post/containers-zones-jails-vms/), containers in Linux are not a top level design like Zone in Solaris and Jails in BSD.
@@ -35,7 +34,7 @@ If you feel a bit lost with all these terms, a good start is the reading of this
-*By [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). License CC BY-SA 2.0*
+*A factory building containers ? Photo by [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). CC BY-SA 2.0*
Before starting, you'll need a very recent version of LXC, at least lxc-2.0.9 (not yet released as of this writing). Fortunately, you can compile it from its master branch. We'll see later why we need a such recent version.
@@ -64,8 +63,20 @@ sudo lxc-start -n harden -lDEBUG -F
It will launch your container in foreground (so you'll be able to see systemd logs at boot) and it will log many useful informations in the `/var/log/lxc/harden.log` file.
+## Capabilities: split the root
+
+
+
+*The great puzzle of root. Photo by [Kevin Dooley](https://www.flickr.com/photos/pagedooley/14555354976). CC BY 2.0.*
+
+
## cgroups: group your processes
+
+
+*A cgroup of lions with parents and children. Photo by [Joel Herzog](https://unsplash.com/@joel_herzog). Unsplash license.*
+
+
[Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
> cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
@@ -87,12 +98,22 @@ Michael Kerrisk wrote an interesting [serie of articles about namespaces](https:
At first glance, namespaces handle could appear trivial in LXC: every available namespaces are used and that's all.
-## Seccomp
+## Seccomp: filter your syscalls
-## Capabilities: split the root
+
+
+*The seccomp barrier protects the access to the kernel. Photo by [Mike Wilson](https://unsplash.com/@mkwlsn). Unsplash license.*
+
-## Linux Security Modules (LSM)
+## LSM: mandatory access control
+
+
+
+*Back to the origin. Photo by [Michelangelo Carrieri](https://www.flickr.com/photos/malakhkelevra/4951863053). CC BY-ND 2.0*
+
## Other
-prlimit
+### prlimit
+
+### /dev
diff --git a/assets/images/posts/harden-barrier.jpg b/assets/images/posts/harden-barrier.jpg
new file mode 100644
index 0000000..f8edd24
Binary files /dev/null and b/assets/images/posts/harden-barrier.jpg differ
diff --git a/assets/images/posts/harden-lions.jpg b/assets/images/posts/harden-lions.jpg
new file mode 100644
index 0000000..b12cc2c
Binary files /dev/null and b/assets/images/posts/harden-lions.jpg differ
diff --git a/assets/images/posts/harden-puzzle.jpg b/assets/images/posts/harden-puzzle.jpg
new file mode 100644
index 0000000..1742b7a
Binary files /dev/null and b/assets/images/posts/harden-puzzle.jpg differ
diff --git a/assets/images/posts/harden-secret.jpg b/assets/images/posts/harden-secret.jpg
new file mode 100644
index 0000000..db2e93a
Binary files /dev/null and b/assets/images/posts/harden-secret.jpg differ