Looking for secure profile for public cloud environments


(Sergio Morales Acuña) #1

Hi.

Anyone with experience in LXD on Public Cloud? I’m need to create a secure profile or ensure that the default one is enough.

In the documentations it’s states that LXD will always provide the container with the basic devices which are required for a standard POSIX system to work and anything else has to be defined in the container configuration or in one of its profiles.

Can some one recommend me some book or link about this topic?

I have some issues with the current profile where df -h shows lxd/containers/instance-00000a6c as root disk when using ZFS and I need to understand if this is a security issue or just a aesthetic problem.

Thanks

~$ lxc profile show instance-00000a6c
config:
  environment.product_name: OpenStack Nova
  limits.cpu: "1"
  limits.memory: 1024MB
  raw.lxc: |
    lxc.console.logfile=/var/log/lxd/instance-00000a6c/console.log
description: ""
devices:
  brqa1c03c28-9f:
    host_name: tap51c84861-9e
    hwaddr: fa:16:3e:97:61:04
    limits.egress: 20Mbit
    limits.ingress: 20Mbit
    nictype: bridged
    parent: brqa1c03c28-9f
    type: nic
  root:
    limits.read: 120iops
    limits.write: 120iops
    path: /
    size: 20GB
    type: disk
name: instance-00000a6c
used_by: []

(Stéphane Graber) #2

Showing lxd/containers/NAME as root disk is normal and is actually better than what happens with most of the other storage backends where the actual disk (/dev/sdaX) is reported instead.

For untrusted production environments, I’d probably recommend setting security.idmap.isolated to true, this will prevent some intentional & accidental DoS attacks on user-bound kernel resources.

You’d likely also want to set limits.processes to some reasonable value, this will prevent a forkbomb in a container from affecting the rest of the system.


(Sergio Morales Acuña) #3

Thanks!!

I’m also setting echo 1 > /proc/sys/kernel/dmesg_restrict to prevent the users get information about the host.

If I finish with something worth sharing I will. Any other tip will be appreciated.

Cheers.