Security of LXC compared to OpenVZ

(Disclaimer: I am not an authority on OpenVZ. This answer is more opinionated than my answers usually are, so feel free to criticise!)

OpenVZ might be "more" secure in that it does not integrate with the entire kernel, so that its attack surface is a bit lower. Though, essentially OpenVZ is what served as inspiration for namespaces and hence ultimately, LXC and Docker. I don't believe it's going to be continued for long now that those more complete solutions are, well, complete.

As pointed out by WhiteWinterWolf one of the big differences is that LXC finally gets to use the user namespace, opening the ability of unprivileged users to run containers and ensuring that contained code that breaks out of the container retains unprivileged users' privileges. Also, namespace-based containers may eventually be fully SELinux-labelled. Docker containers normally already are, and Dan Walsh is working on a way to make SELinux automatically enforce an extra layer of isolation between containers by using randomly generated categories for contained processes.

So in summary, containers are better because: - They can partially thwart some container breakouts (limiting them to an unprivileged UID), making privilege escalations inside the container irrelevant. - They are more supported and more actively developed, and in particular they'll greatly benefit from SELinux support.

And they are worse because: - Their TCB is very large, across the entire kernel and bugs will occur every now and then leading to exploits and breakouts. - The user namespace feels to me to be kind of an edge case. You usually achieve privilege escalation via a bug in the SCI (which you would be able to reproduce after your breakout) or confused deputy attacks on a privileged service (which are likely to keep existing outside your container in the first place). So you would still need to tightly limit that container-running UID to running containers.

In summary, keep practising defence in depth, and keep thinking about how you let contained processes interact with the outside world and how you run containers. Differences exist but as you can see are rather minimal.

Tags:

Linux

Virtualization

Related

Should anti-virus detect metasploit payloads? Why is it dangerous when an attacker can control the `n` parameter to `memcpy()`? What is the best way to transmit password hash over unreliable TLS? Extract pre-master keys from an OpenSSL application How to bypass .Net 4.5 request validation, for an XSS attack? Securing a multi-tenant, multi-database REST API Besides MBR & BIOS, is it possible for a rootkit to stay persistent after a format of the hard drive? Store password locally. Where? How to pass it securely? Security risk with using internal IP on public DNS Is it bad to have cameras using a static IP address? Whats the point in having software's like Veracrypt, which end of the day needs password to decrypt? Why do coffee shops not use WPA/WPA2? Would it solve many problems if they did?

Recent Posts