It is unfortunate that LXC's dir mode is completely insecure and allows way too much information from the host to be seen.  I wonder if there will eventually be a way to break into the host filesystem or other container's storage?

OpenVZ better security:

[root@ev ~]# cat /proc/mdstat
cat: /proc/mdstat: No such file or directory

/dev/simfs      843G  740G   61G  93% /


LXC exposes too much:

If the host has a RAID array you can see the full details.  If you do a df -h you can see the usage of the partition that your VM is stored on.  This seems extremely insecure.

 cat /proc/mdstat
Personalities : [raid10] [raid1]
md1 : active raid10 sda2[2] sdb2[0]
      31439872 blocks super 1.2 2 near-copies [2/2] [UU]
     
md0 : active raid1 sda1[1] sdb1[0]
      1048512 blocks [2/2] [UU]
     
md2 : active raid10 sda3[2] sdb3[0]
      455747584 blocks super 1.2 2 near-copies [2/2] [UU]
      bitmap: 1/4 pages [4KB], 65536KB chunk

unused devices: <none>

root@first:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/md2        427G  5.9G  400G   2% /
none            492K  4.0K  488K   1% /dev
devtmpfs        3.8G     0  3.8G   0% /dev/tty
tmpfs           100K     0  100K   0% /dev/lxd
tmpfs           100K     0  100K   0% /dev/.lxd-mounts
tmpfs           3.8G     0  3.8G   0% /dev/shm
tmpfs           3.8G  172K  3.8G   1% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           3.8G     0  3.8G   0% /sys/fs/cgroup
tmpfs           777M     0  777M   0% /run/user/0

 

openvz, vs, lxc, dir, mode, lxcit, insecure, allows, filesystem, container, ev, proc, mdstat, directory, dev, simfs, exposes, raid, array, df, usage, partition, vm, stored, personalities, md, active, sda, sdb, copies, uu, bitmap, kb, chunk, unused, devices, avail, mounted, devtmpfs, tty, tmpfs, lxd, mounts, shm, sys, fs, cgroup, user,

Latest Articles