I am planning to give remote devs I don’t know personally and therefore cannot trust access to parts of our infrastructure to work on.
My idea is to give each of them an isolated LXD container, i.e. default config just with security.idmap.isolated=true.
Are there any other security measures you would recommend before inviting knowledgeable strangers on your machine?
That should be fine, though if you’re worried about them running you out of resources, you should also set:
- limits.cpu
- limits.memory
- limits.processes
And use a storage backend with strong quotas like ZFS or LVM and set an appropriate disk size for the container.
And then make sure to keep up on kernel security updates and use kernel live patching if available from your distribution. That’s really the main security concern with containers.
1 Like
Thank you Stéfane!
FYI: The page https://lxd.readthedocs.io/en/latest/instances/ renders poorly on firefox on linux.