All geek questions in one place

Is using linux containers (lxc) like docker safe?

If I allow the user to run whatever he wants, can he work poorly to imagine in which container he was executed?

+4
source share
2 answers

As far as I can see, the answer is yes. Therefore, you probably shouldn't give sudo hacking rights on any container ...

A quick google search gave me the following.

  • At https://wiki.ubuntu.com/LxcSecurity :

    ... containers always (by design) share the same core as the host. Therefore, any vulnerabilities in the kernel interface, except when the container is prohibited, the use of this interface (that is, the use of seccomp2) can be used by the container to damage the host.

  • On http://www.funtoo.org/wiki/Linux_Containers

    As with the Linux 3.1.5 kernel, LXC can be used to isolate your personal workloads from each other. He is not yet ready to isolate potentially malicious users from each other or the host system.

    They offer OpenVZ as an alternative.

+4
source

Docker does its best to create containers that prevent harmful users from doing bad things. As an example, it removes the ability for any user to run mount.

It is not guaranteed that the user cannot break out of the container using the exploit in groups or that the configuration is perfect. This should be evaluated as necessary.

+9
source

Source: https://habr.com/ru/post/1490237/

More articles:


All Articles