← Back to team overview

openstack team mailing list archive

Re: [OSSG] Security Note: Selecting LXC as Nova Virtualization Driver can lead to data compromise.

 

On Fri, Mar 15, 2013 at 10:44:40AM +0000, Clark, Robert Graham wrote:
> The following is the first of a series of OpenStack Security Notes that will be issued by the OpenStack Security Group. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment. 
> 
> Selecting LXC as Nova Virtualization Driver can lead to data compromise.
> ------
> 
> ### Summary ###
> LXC does not provide the same level of separation as hypervisors when chosen as the Nova 'virtualization driver'. Attempting to use LXC as a drop in replacement for a hypervisor can result in data exposure between tenants.
> 
> ### Affected Services / Software ###
> Nova, LXC, Libvirt, 'Virtualization Driver'
> 
> ### Discussion ###

> The quality of container isolation in LXC heavily depends on implementation. While
> pure LXC is generally well-isolated through various mechanisms (for example AppArmor
> in Ubuntu), LXC through libvirt is not. A guest who operates within one container is
> able to affect another containers cpu share, memory limit and block devices among other
> issues.

This is really wrong / misleading. Libvirt with LXC is perfectly capable of using
mandatory access control frameworks like SELinux  / AppArmour to isolate LXC
containers from each other. The issue is that such use of MAC whether with libvirt
LXC or other LXC impls is not practical when you want to be able to run full OS
installs in LXC. As such it is not possible to have OpenStack to make use of it.

I'd like this paragraph to be re-written to something like this


  "### Discussion ###

  The Libvirt LXC functionality exposed by OpenStack is built on the kernel
  namespace & cgroup technologies. Until Linux 3.8, there has been no support
  for separate user namespaces in the kernel. As such, there has been no way
  to securely isolate containers from each other or the host environment using
  DAC (discretionary access control). For example, they can escape their resource
  constraints by modifying cgroups settings, or attack the host via various files
  in the proc and sysfs filesystems. The use of MAC (mandatory access control)
  technologies like SELinux or AppArmour can mitigate these problems, but it is
  not practical to write MAC policies that would allow running full OS installs
  in LXC under OpenStack.

  Although initial user namespace support was merged in Linux 3.8, it is not
  yet complete, or mature enough to be considered secure. Work is ongoing to
  finish the kernel namespace support and enhance libvirt LXC to take advantage
  of it."

> For more information on the effects of this issue see this [bug]
> (https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1088295)
> 
> ### Recommended Actions ###
> The OSSG advises that anyone deploying Nova in environments that require any level of separation use a hypervisor such as Xen, KVM, VMware or Hyper-V.
> 
> LXC security pivots on a system known as DAC (discretionary access control) which is not currently capable of providing strong isolation of guests. Work is underway to improve DAC but it's not ready for production use at this time.
> 
> The OSSG recommends against using LXC for enforcing secure separation of guests. Even with appropriate AppArmour policies applied.
> 
> ### Contacts / References ###
> Nova : http://docs.openstack.org/developer/nova/
> LXC : http://lxc.sourceforge.net/
> Libvirt : http://libvirt.org/
> KVM : http://www.linux-kvm.org/page/Main_Page
> Xen: http://xen.org/products/xenhyp.html
> LXC DAC : https://wiki.ubuntu.com/UserNamespace
> LXC LibVirt Discussion : https://www.berrange.com/posts/2011/09/27/getting-started-with-lxc-using-libvirt/
> OpenStack Security Group : https://launchpad.net/~openstack-ossg
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


Follow ups

References