For years, I'm now using OpenVZ on my server, but support discontinued for Debian and Ubuntu, current releases seem to focus on LXC now, which is not a bad idea from the point of comfort.
But what about security? I remember I read once that LXC doesn't provide the same level of process and container separation than OpenVZ does. Unfortunately, I cant find the document anymore, but I agree there might be some security issues at least in the default configuration of LXC. For example, with a completely customized rootfs I managed once (in an older version of LXC) to change the host's terminal from an LXC container using chvt 1 and pressing Ctrl+C ended in a restart of my X11 environment when I tried to reproduce it today. I know, all container solutions use the same kernel and a kernel hack can lead to a container breakout, that's not what I ask. But it shouldn't be that easy to influence the host or other containers from a container.
How much security can I expect from OpenVZ and LXC?
My server exposes some guest ports to the internet, so I really care about this aspect, but I have to make a decision because the currently used tools need to be upgraded. Using LXC or similar is not an option since my server has a low-performance CPU.
PS: I'm speaking about the real OpenVZ implementation with vzctl 4.7.2-1. Some newer implementations of vzctl use LXC techniques.
Aucun commentaire:
Enregistrer un commentaire