quentin
/
quentin.dufour.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

WIP 2 hardening LXC

This commit is contained in:
Quentin Dufour 2017-08-22 10:43:35 +02:00
parent acae001b47
commit 5ac363f2b8
2 changed files with 62 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
_posts/2017-08-22-hardening-lxc-containers.md
View File

@ -13,9 +13,9 @@ tags:
- containers
---
[![LXC Logo](/assets/images/posts/harden-container.jpg)](https://www.flickr.com/photos/mr-rollers/32972266123/)
![A real container](/assets/images/posts/harden-container.jpg)
<div style="font-size: 12px; text-align:center; margin-top:-20px">
*By Mr. Rollers. License CC BY-NC-ND 2.0*
*By [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). License CC BY-NC-ND 2.0*
</div>
@ -33,6 +33,66 @@ If you feel a bit lost with all these terms, a good start is the reading of this
## Creating a standard LXC container
![A factory](/assets/images/posts/harden-factory.jpg)
<div style="font-size: 12px; text-align:center; margin-top:-20px">
*By [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). License CC BY-SA 2.0*
</div>
Before starting, you'll need a very recent version of LXC, at least lxc-2.0.9 (not yet released as of this writing). Fortunately, you can compile it from its master branch. We'll see later why we need a such recent version.
Here is a quick reminder on how to compile LXC:
```bash
git clone https://github.com/lxc/lxc
cd lxc
./autogen.sh
./configure
make -j8
sudo make install
```
Now let's create a basic container (we'll use Fedora but the instructions should work for every distributions):
```bash
sudo lxc-create -n harden -t fedora
```
As you'll need to debug the launch of your container, I can only recommend you this command line :
```bash
sudo lxc-start -n harden -lDEBUG -F
```
It will launch your container in foreground (so you'll be able to see systemd logs at boot) and it will log many useful informations in the `/var/log/lxc/harden.log` file.
## cgroups: group your processes
[Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
> cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
It might not be totally clear at the first read, but cgroups are two differents things:
1. A method to create groups of processus
2. A method to apply limitation, accounting, etc. on these groups
<span></span>
If you want to read more on this, the article [Control Groups vs. Control Groups](http://0pointer.de/blog/projects/cgroups-vs-cgroups.html) by Lennart Poettering explains how systemd uses cgroups and why the distinction is crucial.
## Namespaces: isolate your system resources
Michael Kerrisk wrote an interesting [serie of articles about namespaces](https://lwn.net/Articles/531114/) on LWN. I find its definition of namespaces particularly interesting:
> The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
At first glance, namespaces handle could appear trivial in LXC: every available namespaces are used and that's all.
## Seccomp
## Capabilities: split the root
## Linux Security Modules (LSM)
## Other
prlimit

BIN
assets/images/posts/harden-factory.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 498 KiB