OpenVZ vs LXC DIR mode poor security in LXC

It is unfortunate that LXC's dir mode is completely insecure and allows way too much information from the host to be seen.  I wonder if there will eventually be a way to break into the host filesystem or other container's storage?

 

OpenVZ better security:

[root@ev ~]# cat /proc/mdstat
cat: /proc/mdstat: No such file or directory

/dev/simfs      843G  740G   61G  93% /



LXC exposes too much:

If the host has a RAID array you can see the full details.  If you do a df -h you can see the usage of the partition that your VM is stored on.  This seems extremely insecure.

 cat /proc/mdstat
Personalities : [raid10] [raid1]
md1 : active raid10 sda2[2] sdb2[0]
      31439872 blocks super 1.2 2 near-copies [2/2] [UU]
     
md0 : active raid1 sda1[1] sdb1[0]
      1048512 blocks [2/2] [UU]
     
md2 : active raid10 sda3[2] sdb3[0]
      455747584 blocks super 1.2 2 near-copies [2/2] [UU]
      bitmap: 1/4 pages [4KB], 65536KB chunk

unused devices: <none>


root@first:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/md2        427G  5.9G  400G   2% /
none            492K  4.0K  488K   1% /dev
devtmpfs        3.8G     0  3.8G   0% /dev/tty
tmpfs           100K     0  100K   0% /dev/lxd
tmpfs           100K     0  100K   0% /dev/.lxd-mounts
tmpfs           3.8G     0  3.8G   0% /dev/shm
tmpfs           3.8G  172K  3.8G   1% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           3.8G     0  3.8G   0% /sys/fs/cgroup
tmpfs           777M     0  777M   0% /run/user/0


 


Tags:

openvz, vs, lxc, dir, mode, lxcit, insecure, allows, filesystem, container, ev, proc, mdstat, directory, dev, simfs, exposes, raid, array, df, usage, partition, vm, stored, personalities, md, active, sda, sdb, copies, uu, bitmap, kb, chunk, unused, devices, avail, mounted, devtmpfs, tty, tmpfs, lxd, mounts, shm, sys, fs, cgroup, user,

Latest Articles

  • How to allow SSH root user access in Linux/Debian/Mint/RHEL/Ubuntu/CentOS
  • Ansible Tutorial - Playbook How To Install From Scratch and Deploy LAMP + Wordpress on Remote Server
  • Ceph Install Errors on Proxmox / How To Fix Solution
  • Proxmox Update Error https://enterprise.proxmox.com/debian/pve bullseye InRelease 401 Unauthorized [IP: 144.217.225.162 443]
  • QEMU/KVM How to Hot-add A Virtual Disk .raw/.qcow2 via QEMU Monitor Commands
  • Proxmox How To Enable Ceph Distributed Storage Cluster with OSD and Pools
  • pulseaudio issue on QEMU/KVM guest VM when microphone is replugged/unplugged pulseaudio: pa_threaded_mainloop_lock failed pulseaudio: Reason: Invalid argument
  • Ubuntu Linux Mint - Volume Control Stopped Working
  • Proxmox Services Won't Start Failed to start The Proxmox VE cluster filesystem. Proxmox VE firewall. PVE Status Daemon. Proxmox VE scheduler. PVE Cluster HA Resource Manager Daemon. PVE Local HA Resource Manager Daemon.
  • Proxmox Guide FAQ / Errors / Howto
  • Virtualbox Vbox Issue Cannot Enable Nested Virtualization Button is Grayed/Greyed Out and Unclickable HowTo Solution
  • Virtualbox VBOX Howto Port Forward To Guests
  • Linux Ubuntu Debian Centos Mint - How To Check if Intel VT-x or AMD-V Hardware Virtualization is Enabled?
  • Linux Howto Zip Multiple Files and Directories
  • Windows Cannot Format USB drive Device Media is Write Protected Error Solution
  • Linux Mint 20 cannot install snapd missing solution
  • Virtualbox VBOX How To Install Guest-Utils/GuestUtils so drag and drop and clipboard works Ubuntu Mint Debian Linux
  • How to install Kubernetes with microk8s and deploy apps on Debian/Mint/Ubuntu Linux
  • vi how to delete everything to the end of the line or the rest of the line from the cursor
  • Cisco Howto Configure Console Port/Terminal/Comm Server with Async Cable Setup