OpenVZ vs LXC DIR mode poor security in LXC

It is unfortunate that LXC's dir mode is completely insecure and allows way too much information from the host to be seen.  I wonder if there will eventually be a way to break into the host filesystem or other container's storage?

 

OpenVZ better security:

[root@ev ~]# cat /proc/mdstat
cat: /proc/mdstat: No such file or directory

/dev/simfs      843G  740G   61G  93% /



LXC exposes too much:

If the host has a RAID array you can see the full details.  If you do a df -h you can see the usage of the partition that your VM is stored on.  This seems extremely insecure.

 cat /proc/mdstat
Personalities : [raid10] [raid1]
md1 : active raid10 sda2[2] sdb2[0]
      31439872 blocks super 1.2 2 near-copies [2/2] [UU]
     
md0 : active raid1 sda1[1] sdb1[0]
      1048512 blocks [2/2] [UU]
     
md2 : active raid10 sda3[2] sdb3[0]
      455747584 blocks super 1.2 2 near-copies [2/2] [UU]
      bitmap: 1/4 pages [4KB], 65536KB chunk

unused devices: <none>


root@first:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/md2        427G  5.9G  400G   2% /
none            492K  4.0K  488K   1% /dev
devtmpfs        3.8G     0  3.8G   0% /dev/tty
tmpfs           100K     0  100K   0% /dev/lxd
tmpfs           100K     0  100K   0% /dev/.lxd-mounts
tmpfs           3.8G     0  3.8G   0% /dev/shm
tmpfs           3.8G  172K  3.8G   1% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           3.8G     0  3.8G   0% /sys/fs/cgroup
tmpfs           777M     0  777M   0% /run/user/0


 


Tags:

openvz, vs, lxc, dir, mode, lxcit, insecure, allows, filesystem, container, ev, proc, mdstat, directory, dev, simfs, exposes, raid, array, df, usage, partition, vm, stored, personalities, md, active, sda, sdb, copies, uu, bitmap, kb, chunk, unused, devices, avail, mounted, devtmpfs, tty, tmpfs, lxd, mounts, shm, sys, fs, cgroup, user,

Latest Articles

  • FreePBX 17 How To Add a Trunk
  • Docker Container Onboot Policy - How to make sure a container is always running
  • FreePBX 17 How To Add Phones / Extensions and Register
  • Warning: The driver descriptor says the physical block size is 2048 bytes, but Linux says it is 512 bytes. solution
  • Cisco How To Use a Third Party SIP Phone (eg. Avaya, 3CX)
  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX 17 in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups
  • How to install gns3 on Linux Ubuntu Mint
  • How to convert audio for Asterisk .wav format
  • Using Cisco CME Router with Asterisk as a dial-peer
  • Cisco CME How To Configure SIP Trunk VOIP
  • Virtualbox host Only Network Error Failed to save host network interface parameter - Cannot change gateway IP of host only network
  • Cisco CME and C7200 Router Testing and Learning Environment on Ubuntu 20+ Setup Tutorial Guide
  • Abusive IP ranges blacklist