← Back to team overview

openstack team mailing list archive

Re: [OSSG] Security Note: Selecting LXC as Nova Virtualization Driver can lead to data compromise.

 

On Fri, Mar 15, 2013 at 09:05:30AM -0700, Bryan D. Payne wrote:
> >> The quality of container isolation in LXC heavily depends on implementation. While
> >> pure LXC is generally well-isolated through various mechanisms (for example AppArmor
> >> in Ubuntu), LXC through libvirt is not. A guest who operates within one container is
> >> able to affect another containers cpu share, memory limit and block devices among other
> >> issues.
> >
> > This is really wrong / misleading. <snip>
> >
> >   Although initial user namespace support was merged in Linux 3.8, it is not
> >   yet complete, or mature enough to be considered secure. Work is ongoing to
> >   finish the kernel namespace support and enhance libvirt LXC to take advantage
> >   of it."
> 
> Point taken and thank you for the clarification.  As you note, doing
> lxc securely is basically not possible on a current OpenStack
> deployment.  This was the main take home point of the security note.
> I'm happy to see that work is ongoing to help improve this feature,
> and look forward to reviewing it when it is stable.
> 
> If you'd like to help with the wording of future notes, I encourage
> you to take part in the weekly OSSG meetings:

Where/when was this wording discussed though ? I don't see anything about
LXC mentioned in the logs of the last two meetings in March ? While IRC
may be a good place for ad-hoc discussions around an issue, I don't really
think it is a good forum for reviewing of these final notices prior to an
announcement. Due to its real-time nature, IRC hits timezone problems
which can prevent relevant from people attending. A posting to an email
list gives time for all relevant parties to provide feedback.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


Follow ups

References