Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is using linux containers (lxc) like docker is safe?

If I will allow user to run whatever he want, is he able to do bad thinks to env in which container was executed?

like image 556
Sławosz Avatar asked Dec 12 '22 13:12

Sławosz


2 Answers

Docker does its best to create containers which do not allow mischievous users to do bad things. As an example, it removes the ability for any user to be able to execute mount.

That being said, there is no guarantee that a user cannot break out of the container given an exploit in cgroups or that the configuration is perfect. This should be evaluated on an as-needed basis.

like image 129
Nick Stinemates Avatar answered Jan 21 '23 00:01

Nick Stinemates


As far as I can see, the answer is yes. So you should probably not give a hacker sudo rights on any container...

A quick Google search gave me the following.

  • On https://wiki.ubuntu.com/LxcSecurity:

    ... containers will always (by design) share the same kernel as the host. Therefore, any vulnerabilities in the kernel interface, unless the container is forbidden the use of that interface (i.e. using seccomp2) can be exploited by the container to harm the host.

  • On http://www.funtoo.org/wiki/Linux_Containers

    As of Linux kernel 3.1.5, LXC is usable for isolating your own private workloads from one another. It is not yet ready to isolate potentially malicious users from one another or the host system.

    They propose OpenVZ as an alternative.

like image 44
qkrijger Avatar answered Jan 20 '23 23:01

qkrijger