X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pct.adoc;h=3b3f5f5df0208694efd7417afa448401146a9217;hb=c02ac25bcc25f70d27d1702534eda2ae7cebb727;hp=9bedab7754edeae4484483745c784d256fc7705f;hpb=3d5c55fca7d31860c7453b0dc2eabc56762b3462;p=pve-docs.git diff --git a/pct.adoc b/pct.adoc index 9bedab7..3b3f5f5 100644 --- a/pct.adoc +++ b/pct.adoc @@ -86,26 +86,6 @@ Technology Overview * Container setup from host (network, DNS, storage, etc.) -Security Considerations ------------------------ - -Containers use the kernel of the host system. This creates a big attack surface -for malicious users. This should be considered if containers are provided to -untrustworthy people. In general, full virtual machines provide better -isolation. - -However, LXC uses many security features like AppArmor, CGroups and kernel -namespaces to reduce the attack surface. - -AppArmor profiles are used to restrict access to possibly dangerous actions. -Some system calls, i.e. `mount`, are prohibited from execution. - -To trace AppArmor activity, use: - ----- -# dmesg | grep apparmor ----- - [[pct_container_images]] Container Images ---------------- @@ -336,25 +316,11 @@ systemd version running inside the container should be equal to or greater than Privileged Containers ^^^^^^^^^^^^^^^^^^^^^ -Security in containers is achieved by using mandatory access control -('AppArmor'), 'seccomp' filters and namespaces. The LXC team considers this -kind of container as unsafe, and they will not consider new container escape -exploits to be security issues worthy of a CVE and quick fix. That's why -privileged containers should only be used in trusted environments. - -Although it is not recommended, AppArmor can be disabled for a container. This -brings security risks with it. Some syscalls can lead to privilege escalation -when executed within a container if the system is misconfigured or if a LXC or -Linux Kernel vulnerability exists. - -To disable AppArmor for a container, add the following line to the container -configuration file located at `/etc/pve/lxc/CTID.conf`: - ----- -lxc.apparmor_profile = unconfined ----- - -WARNING: Please note that this is not recommended for production use. +Security in containers is achieved by using mandatory access control 'AppArmor' +restrictions, 'seccomp' filters and Linux kernel namespaces. The LXC team +considers this kind of container as unsafe, and they will not consider new +container escape exploits to be security issues worthy of a CVE and quick fix. +That's why privileged containers should only be used in trusted environments. [[pct_cpu]] @@ -576,6 +542,48 @@ It will be called during various phases of the guests lifetime. For an example and documentation see the example script under `/usr/share/pve-docs/examples/guest-example-hookscript.pl`. +Security Considerations +----------------------- + +Containers use the kernel of the host system. This exposes an attack surface +for malicious users. In general, full virtual machines provide better +isolation. This should be considered if containers are provided to unkown or +untrusted people. + +To reduce the attack surface, LXC uses many security features like AppArmor, +CGroups and kernel namespaces. + +AppArmor +~~~~~~~~ + +AppArmor profiles are used to restrict access to possibly dangerous actions. +Some system calls, i.e. `mount`, are prohibited from execution. + +To trace AppArmor activity, use: + +---- +# dmesg | grep apparmor +---- + +Although it is not recommended, AppArmor can be disabled for a container. This +brings security risks with it. Some syscalls can lead to privilege escalation +when executed within a container if the system is misconfigured or if a LXC or +Linux Kernel vulnerability exists. + +To disable AppArmor for a container, add the following line to the container +configuration file located at `/etc/pve/lxc/CTID.conf`: + +---- +lxc.apparmor_profile = unconfined +---- + +WARNING: Please note that this is not recommended for production use. + + +// TODO: describe cgroups + seccomp a bit more. +// TODO: pve-lxc-syscalld + + Guest Operating System Configuration ------------------------------------