Hi! A couple of days ago I managed to setup LXC with LXD, hurray! And it works great so far, many thanks.
I have created and assigned an LVM thinpool volume to LXD. Now I'm having a few questions regarding data access security: 1) Within the unprivileged container I see a mount point of a block device to '/'. Are raw block accesses to this device from within a container denied? Is it ensured that even the (mapped, inner) root user will only access data on a file basis? 2) Any file created within the container will always contain data created from within this container only? Say, the (mapped, inner) root user will not be able to create a file which will then suddenly contain data which was used in another, but now deleted container or LVM volume? 3) Are LVM extents added to the thinnly provisioned volume wiped before they are handed over to the container? 4) Are LVM extents which were deleted via the ext4 discard option from within the container wiped before being added back to the thinpool again? Hope these questions are not too "amateurish". But I'm really curious whether I'm making wrong assumptions on how LXD and LVM work. Or if I were concerned about such security I'd must use a normal and not thinnly provisioned LVM volume and would need to wipe data manually before (re)assigning and resizing volumes. Regards, Linus _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
