13

One ubuntu server hosts 3 apps all on separate domains.
Each app has its own developers.
App developers belong to linux "sftp" group.
chroot allows password sftp access for each app developer.

/home/app1/prod
/home/app2/prod
/home/app3/prod

In sshd_config

Match Group sftp  
  PasswordAuthentication yes
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no

Our concern is a programming vulnerability in one app causing problems in the other 2 apps.

Should we use lxc container instead of chroot? Why? Will the change to lxc containers be transparent to the app developers?

csi
  • 1,535
  • 7
  • 22
  • 42
  • 2
    The only thing `chroot` does is change the root directory for a process. It offers no isolation or anything else. – Zoredache Oct 03 '13 at 16:36

1 Answers1

17

Linux Containers (LXC) are an operating system-level virtualization method for running multiple isolated server installs (containers) on a single control host. LXC does not provide a virtual machine, but rather provides a virtual environment that has its own process and network space. It is similar to a chroot, but offers much more isolation.

Linux containers has several features / advantages:

Advantages:

Better isolation as compared to a chroot (chroot jail). Low overhead. LXC uses minimal resources in terms of RAM and hard drive space without the overhead of installing a guest OS in a virtual machine ( VMWare / VirtualBox / KVM ) .

Applications and services (servers) run at native speed.

There is support for Linux containers in libvirt .

Linux containers work well with btrfs .

But there is also a downside:

Linux containers run Linux processes on a Linux kernel. This means you can run Linux (Fedora container on an Ubuntu host) but not other operating systems (Not BSD / OSX / Windows).

There are no GUI (graphical) interfaces to configure or manage the containers.

There is a paucity of documentation on how to install and configure a container. Configuring a container requires a modest technical knowledge and skill (and a large grain of patience).

  • 1
    which kernel is used inside the LXC ? (the one from the host or the guest one ?) – Francesco Nov 24 '15 at 13:35
  • 4
    A lot of the advantages & disadvantages compare LXC to full virtualization, which is irrelevant to the question asked, and perhaps even misleading. – Roger Dueck Jun 28 '18 at 22:36
  • @Francesco, with LXC, (and Linux containers in general), there is only one kernel- the host kernel. Some exceptions to this are for example, Docker running on MacOS or Windows, as they use a Linux kernel running in a virtual machine; however, all Linux containers on these platforms are still using the same kernel. – oxr463 Jun 19 '19 at 15:10