openstack team mailing list archive

["Bryan D. Payne" <bdpayne@xxxxxxx>]

>> The quality of container isolation in LXC heavily depends on implementation. While
>> pure LXC is generally well-isolated through various mechanisms (for example AppArmor
>> in Ubuntu), LXC through libvirt is not. A guest who operates within one container is
>> able to affect another containers cpu share, memory limit and block devices among other
>> issues.
>
> This is really wrong / misleading. <snip>
>
>   Although initial user namespace support was merged in Linux 3.8, it is not
>   yet complete, or mature enough to be considered secure. Work is ongoing to
>   finish the kernel namespace support and enhance libvirt LXC to take advantage
>   of it."

Point taken and thank you for the clarification.  As you note, doing
lxc securely is basically not possible on a current OpenStack
deployment.  This was the main take home point of the security note.
I'm happy to see that work is ongoing to help improve this feature,
and look forward to reviewing it when it is stable.

If you'd like to help with the wording of future notes, I encourage
you to take part in the weekly OSSG meetings:
https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity

Cheers,
-bryan