Right now I'm using Linux VServer for VPS hosting. But it's lacking some functionality I need (ex. cpu usage virtualization, quota support for guests, etc.) so I'm thinking about switching to OpenVZ or directly to LXC. I somewhere read LXC is not considered secure yet (ex http://en.gentoo-wiki.com/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS) - is this still true? As I don't know the persons who run the guests I really have to take care of security.
-
there were (are?) also problems with /proc filtering -- see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/645625 "lxc container can power-off host machine" – sendmoreinfo Mar 12 '12 at 22:15
-
not exactly an answer to your question, but have you considered using an hypervisor? eg. Xen or KVM – Luke404 Aug 06 '12 at 20:58
-
Xen and kvm have a much higher overhead and thus lower performance. I'd only use a hypervisor when I need a custom kernel in a guest, different host/ guest os or other "special requirements". – gucki Aug 07 '12 at 08:24
2 Answers
To the best knowledge at the time of this writing there were still critical issues with /proc filtering. They ought to be addressed in Linux Kernel 3.6 or later.
Since I'm facing the same problem as you I've done some investigation and I'm not yet convinced that LXC is an alternative to Linux VServer.
If you decide not to switch to LXC have a look at the cgroup support of Linux Vserver which is based on the same code as LXC and may be an option for your setup.
- 889
- 1
- 9
- 19
LXC added unprivileged containers support from 1.0 version, and Ubuntu appended more apparmor rules from release 14.04 LTS (5 years) that use 3.13 kernel, (LTS will append support for kernels from utopic now, vivid in some months, etc)
many things about security with LXC are OLD now (the same applies to Docker, that is based in linux container tech based in cgroups) to me at least appear that lxc under Ubuntu is now a good alternative. I imagine that the same applies to Debian.
- 284
- 1
- 9