OpenVZ vs LXC DIR mode poor security in LXC

It is unfortunate that LXC's dir mode is completely insecure and allows way too much information from the host to be seen. I wonder if there will eventually be a way to break into the host filesystem or other container's storage?

OpenVZ better security:

[root@ev ~]# cat /proc/mdstat
cat: /proc/mdstat: No such file or directory

/dev/simfs 843G 740G 61G 93% /



LXC exposes too much:

If the host has a RAID array you can see the full details. If you do a df -h you can see the usage of the partition that your VMis stored on. This seems extremely insecure.

cat /proc/mdstat
Personalities : [raid10] [raid1]
md1 : active raid10 sda2[2] sdb2[0]
31439872 blocks super 1.2 2 near-copies [2/2] [UU]

md0 : active raid1 sda1[1] sdb1[0]
1048512 blocks [2/2] [UU]

md2 : active raid10 sda3[2] sdb3[0]
455747584 blocks super 1.2 2 near-copies [2/2] [UU]
bitmap: 1/4 pages [4KB], 65536KB chunk

unused devices:


root@first:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/md2 427G 5.9G 400G 2% /
none 492K 4.0K 488K 1% /dev
devtmpfs 3.8G 0 3.8G 0% /dev/tty
tmpfs 100K 0 100K 0% /dev/lxd
tmpfs 100K 0 100K 0% /dev/.lxd-mounts
tmpfs 3.8G 0 3.8G 0% /dev/shm
tmpfs 3.8G 172K 3.8G 1% /run
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 3.8G 0 3.8G 0% /sys/fs/cgroup
tmpfs 777M 0 777M 0% /run/user/0



Tags:

openvz, vs, lxc, dir, mode, lxcit, insecure, allows, filesystem, container, ev, proc, mdstat, directory, dev, simfs, exposes, raid, array, df, usage, partition, vm, stored, personalities, md, active, sda, sdb, copies, uu, bitmap, kb, chunk, unused, devices, avail, mounted, devtmpfs, tty, tmpfs, lxd, mounts, shm, sys, fs, cgroup, user,

Latest Articles

  • Ubuntu Debian Linux Cannot Install Wine Solution - wine1.6 : Depends: wine1.6-i386 (= 1:1.6.2-0ubuntu14.2) but it is not installable wine1.4 : Depends: wine1.6 but it is not going to be installed
  • How To Install python 3.4 3.5 and up on Linux with wine - Working Solution
  • using Xvfb on virtual remote ssh server to have X graphical programs work
  • ssh Received disconnect from port 22:2: Too many authentication failures
  • named bind errors - DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'
  • OpenVZ vs LXC DIR mode poor security in LXC
  • httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: Cannot load modules/libphp5.so into server: /lib64/libresolv.so.2: symbol __h_errno, version GLIBC_PRIVATE not defined in file libc.s
  • Radeon R3 GPU on Debian Crashing
  • MySQL 5.7 on Debian and Ubuntu - How To Reset Root Password
  • SSH and sshfs timeout settings keepalive
  • Linux How To Add User To Additional Group
  • Howto Set Static IP on boot in initramfs for dropbear or other purposes NFS, Linux, Debian, Ubuntu, CentOS
  • Convert and install to LUKS Encrypted Drive Ubuntu 18.04 19.10 Linux Mint and Debian Based Linux
  • Debian and Netplan
  • CentOS 8 how to restart the network!
  • CentOS 8 how to convert to a bootable mdadm RAID software array
  • ADATA USB Thumb Drive Issues
  • KMODE EXCEPTION NOT HANDLED - QEMU/KVM Won't Boot Windows 2016 or 10 Image or Physical Machine
  • Linux Mint / Ubuntu / Debian Mate Disable Guest Session and Hide Usernames on Lightdm Login screen GUI
  • SSH How To Create Public/Private Key Pair and with a Larger Keysize than 2048 bits