Hi, On 11/11/2017 10:26 AM, Thomas wrote: > I have received some interesting information regarding LightVM > <http://cnp.neclab.eu/projects/lightvm/>.
Not directly related to your security question but as this project is building on Xen it cannot coexists with our KVM VMs and needs another kernel too. > In a white paper <http://cnp.neclab.eu/projects/lightvm/lightvm.pdf> there's > a statement related to to pros and cons of container-based solutions (page 2): > "However, no technology is perfect, and containers are no exception: security > is a continuous thorn in their side. The main culprit is the hugely powerful > kernel syscall API that containers use to interact with the host OS. This API > is very broad as it offers kernel support for process and thread management, > memory, network, filesystems, IPC, and so forth: Linux, for instance, has 400 > dfferent system calls [37], most with multiple parameters and many with > overlapping functionality; moreover, the number of syscalls is constantly > increasing (see figure 1). The syscall API is fundamentally more diffcult to > secure than the relatively simple x86 ABI offered by virtual machines where > memory isolation (with hardware support) and CPU protection rings are > sufficient." > [37] MAN page. [n. d.]. Linux system calls list. > http://man7.org/linux/manpages/man2/syscalls.2.html. ([n. d.]) > Question: > What is the experts opinion on the statements regarding security > concerns/issues? Also VMs are not locked down, there's memory to be moved, IO to happen, ... And where this happens there is often room for security implications. Although yes, the attack surface for a "host take over" is smaller, but containers are not as open as they suggest, IMO. Parts of the API are inaccessible from a CT as syscalls are filtered with seccomp. apparmor profiles enforce mandatory access controls for doing stuff (e.g. mounting something) then the CT lives in its own namespaces, away from other processes with reduced capabilities. For a far better and more extensive overview read: https://linuxcontainers.org/lxc/security/ Unprivileged CTs are available in PVE, if you are concerned about security, then those are a really good choice. cheers, Thomas _______________________________________________ pve-devel mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
