Is using linux containers (lxc) like docker is safe?

StackOverflow https://stackoverflow.com/questions/17523002

If I will allow user to run whatever he want, is he able to do bad thinks to env in which container was executed?

有帮助吗?

解决方案 2

As far as I can see, the answer is yes. So you should probably not give a hacker sudo rights on any container...

A quick Google search gave me the following.

  • On https://wiki.ubuntu.com/LxcSecurity:

    ... containers will always (by design) share the same kernel as the host. Therefore, any vulnerabilities in the kernel interface, unless the container is forbidden the use of that interface (i.e. using seccomp2) can be exploited by the container to harm the host.

  • On http://www.funtoo.org/wiki/Linux_Containers

    As of Linux kernel 3.1.5, LXC is usable for isolating your own private workloads from one another. It is not yet ready to isolate potentially malicious users from one another or the host system.

    They propose OpenVZ as an alternative.

其他提示

Docker does its best to create containers which do not allow mischievous users to do bad things. As an example, it removes the ability for any user to be able to execute mount.

That being said, there is no guarantee that a user cannot break out of the container given an exploit in cgroups or that the configuration is perfect. This should be evaluated on an as-needed basis.

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top