« Previous 1 2 3 4 Next »
LXC 1.0
Lean and Quick
Security
A few horror stories are in circulation about containers. They tell of how administrators can compromise their entire host system with a container. Some time ago, these problems existed because containers shared the kernel with the host. However, today, user namespaces are pretty well protected thanks to capabilities, CGroups, AppArmor/SELinux, and Seccomp. Linux containers currently have no known security issues.
The /etc/apparmor.d/abstractions/lxc/ directory gives details about the AppArmor policy in Ubuntu 14.04. The Seccomp policy for LXC is hidden in /usr/share/lxc/config/common.seccomp. Some Allow and Deny rules for CGroups (lxc.cgroup.devices.allow/deny) and capabilities limits (lxc.cap.drop) are in the configuration template in the /usr/share/lxc/config/ folder.
Snapshots and Clones
The usual location for containers is on the host system in /var/lib/lxc/<Container-Name>/rootfs/. LXC also copes with filesystems such as Btrfs and ZFS, as well as with LVM and OverlayFS.
On the basis of OverlayFS, you can create a master container (Listing 5); then, you can create several clones with lxc-clone, of which LXC only stores the deltas. This proves to be practical and space-saving, especially for test environments. However, you shouldn't enable the master container itself in this scenario.
Listing 5
Creating a Master Container
root@ubuntu:/var/lib/lxc# lxc-create -t ubuntu -n ubuntu_master root@ubuntu:/var/lib/lxc# lxc-clone -s -B overlayfs ubuntu_master ubuntu_overlay1 root@ubuntu:/var/lib/lxc# cat ubuntu_overlay1/delta0/etc/hostname ubuntu_overlay1
The lxc-snapshot command, unsurprisingly, creates snapshots of a container (Figure 5). For this, you first need to stop the current container. If a logical volume manager is being used, LXC creates an LVM snapshot via lxc-clone -s. You can reset a container to a snapshot using the -r option for lxc-snapshot.
Figure 5: Space-saving snapshots can be produced using OverlayFS.
Troubleshooting
If a container is causing problems when starting up, start it in the foreground. To do this, simply leave out the -d option with lxc-start. Once you have identified the problem, immediately mount a stopped container's filesystem; then, work on the problem in the mounted system. Alternatively, set a different default runlevel.
Additionally, the lxc-* commands support a logfile parameter (-o) and a corresponding log priority (-l). You might also be interested in the kernel ring buffer and the base system's AppArmor messages. To avoid multiple logging, you should disable rsyslogd kernel logging within the container.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Established container solutions in Linux
Container solutions are not newcomers to the virtualization scene; they have existed for years. We look at the different flavors available for Linux systems. -
Container Virtualization Comeback with Docker
Docker helps the Linux container achieve an appealing comeback and integrates some features missing from earlier container solutions. -
Troubleshooting Kubernetes and Docker with a SuperContainer
Keep your containers lean and use a SuperContainer for troubleshooting live services with your favorite tools. -
Create secure simple containers with the systemd tools Nspawnd and Portabled
Systemd comes with two functions for container management that allow many programs to run more securely through isolation. -
New container solutions for Linux
Several new virtualization approaches based on Linux cgroups and namespaces technologies promise a plethora of previously unseen benefits.