This email is timely as I was researching this (again) last night. It resulted in me taking a look through the lxd demo server code and configs which I think do a very reasonable job at allowing untrusted users access to containers.
https://github.com/lxc/lxd-demo-server My final thought was that if the community felt there was a bit more to add, we/I could fork the project and call it lxd-demo-server-paranoid with some extra security configuration primitives sprinkled on top. I haven't defined what the "extras" would be, but if the idea sounds reasonable, I'd love some ideas. Jared On Tue, May 9, 2017 at 8:22 AM, T.C 吳天健 <[email protected]> wrote: > Hi , > > Its said privileged container is unsecured . For example, if a user in the > container (suppose it's running a service toward the public) hack the > system with some kind of root kit. > > I am thinking of building a more secure container. The first idea is to > use unprivileged container; Second is apply cgroup to limit viewing of > some sensitive /dev files, and any recommendation? > > Summary > -use unprivileged container > -cgroup to limit viewing of some /dev files > > > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
