← Back to team overview

openstack team mailing list archive

[OSSG] Security Note: Selecting LXC as Nova Virtualization Driver can lead to data compromise.

 

The following is the first of a series of OpenStack Security Notes that will be issued by the OpenStack Security Group. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment. 

Selecting LXC as Nova Virtualization Driver can lead to data compromise.
------

### Summary ###
LXC does not provide the same level of separation as hypervisors when chosen as the Nova 'virtualization driver'. Attempting to use LXC as a drop in replacement for a hypervisor can result in data exposure between tenants.

### Affected Services / Software ###
Nova, LXC, Libvirt, 'Virtualization Driver'

### Discussion ###
LXC (also known as Linux containers) is a virtualization technology that works at the operating system level. This is different from hardware virtualization, the approach used by other hypervisors such as KVM, Xen, and VMWare.
The quality of container isolation in LXC heavily depends on implementation. While pure LXC is generally well-isolated through various mechanisms (for example AppArmor in Ubuntu), LXC through libvirt is not. A guest who operates within one container is able to affect another containers cpu share, memory limit and block devices among other issues.
For more information on the effects of this issue see this [bug] (https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1088295)

### Recommended Actions ###
The OSSG advises that anyone deploying Nova in environments that require any level of separation use a hypervisor such as Xen, KVM, VMware or Hyper-V.

LXC security pivots on a system known as DAC (discretionary access control) which is not currently capable of providing strong isolation of guests. Work is underway to improve DAC but it's not ready for production use at this time.

The OSSG recommends against using LXC for enforcing secure separation of guests. Even with appropriate AppArmour policies applied.

### Contacts / References ###
Nova : http://docs.openstack.org/developer/nova/
LXC : http://lxc.sourceforge.net/
Libvirt : http://libvirt.org/
KVM : http://www.linux-kvm.org/page/Main_Page
Xen: http://xen.org/products/xenhyp.html
LXC DAC : https://wiki.ubuntu.com/UserNamespace
LXC LibVirt Discussion : https://www.berrange.com/posts/2011/09/27/getting-started-with-lxc-using-libvirt/
OpenStack Security Group : https://launchpad.net/~openstack-ossg


Follow ups