6

Creating secure LXC containers with virt-sandbox-service

 3 years ago
source link: http://www.linux-admins.net/2013/07/creating-secure-lxc-containers-with.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Creating secure LXC containers with virt-sandbox-service

In my previous articles [1], [2] and [3] I demonstrated how to create LXC containers using the LXC user-space tools, libvirt and OpenStack . The problem with out-of-the-box LXC "containers" is that they lack security, mainly because they are just implementation of kernel features like network and filesytem namespaces and control groups (cgroups).

Even though this provides process isolation it does not provide any level of security. The best way to work around this is to create selinux contexts for each LXC process and this is what the virt-sandbox-service provides. It takes advantage of the selinux MLS labeling to confine users and processes.

This feature has been available since Fedora 17 and is well integrated with the new systemd System and Service Manager [4], by using Unit Configuration Files. A unit configuration file encodes information about a service, a socket, a device, a mount point, an automount point, a swap file or partition, a start-up target, a file system path, or a timer controlled and supervised by systemd.

In the following example I'll demonstrate how to start httpd service in a LXC container using Fedora 18 and the virt-sandbox-service utility.

First, make sure selinux is running in enforcing mode:

[root@libvirt-sandbox ~]# getenforce Enforcing

Next install the dependencies:

[root@libvirt-sandbox ~]# yum install libvirt-sandbox libvirt-daemon-lxc lxc httpd

To create the httpd container run:

[root@libvirt-sandbox ~]# virt-sandbox-service create -C -l s0:c1,c2 -u httpd.service httpd_container

Created sandbox container dir /var/lib/libvirt/filesystems/httpd_container Created sandbox config /etc/libvirt-sandbox/services/httpd_container.sandbox Created unit file /etc/systemd/system/httpd@httpd_container.service

The options are as follows:

-C clones content from /etc and /var directories that will be mounted within the container.
-l is the MLS Level with which to run the container.
-u is the systemd Unit File to run within the container.

To start the container execute:

[root@libvirt-sandbox ~]# virt-sandbox-service start httpd_container

systemd 201 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'lxc-libvirt'.

Welcome to Fedora 18 (Spherical Cow)! Initializing machine ID from container UUID. [ OK ] Reached target Paths. [ OK ] Listening on Delayed Shutdown Socket. [ OK ] Listening on Journal Socket. [ OK ] Reached target Swap. [ OK ] Reached target Local File Systems. Starting Recreate Volatile Files and Directories... Starting Journal Service... [ OK ] Started Journal Service. [ OK ] Started Recreate Volatile Files and Directories. [ OK ] Reached target System Initialization. [ OK ] Reached target Timers. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Reached target Sockets. [ OK ] Reached target Basic System. Starting The Apache HTTP Server... systemd-journald.service: main process exited, code=exited, status=205/LIMITS [ OK ] Started The Apache HTTP Server. [ OK ] Reached target Sandbox target.

To list the running containers run:

[root@libvirt-sandbox ~]# virt-sandbox-service list -r httpd_container

Alternatively you can use virsh:

[root@libvirt-sandbox ~]# virsh -c lxc:/// list

Id Name State ---------------------------------------------------- 3500 httpd_container running

To connect to the container run:

[root@libvirt-sandbox ~]# virt-sandbox-service connect httpd_container Connected to httpd_container. Escape character is '^]'.

sh-4.2# ps axf

PID TTY STAT TIME COMMAND 1 pts/0 Ss+ 0:00 /bin/systemd --unit sandbox.target --log-target conso 3 pts/1 Ss 0:00 /bin/sh 81 pts/1 R+ 0:00 \_ ps axf 14 ? Ss 0:00 /usr/sbin/httpd -DFOREGROUND 39 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND 40 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND 41 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND 42 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND 43 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND 80 ? Ss 0:00 /sbin/dhclient --no-pid eth0

sh-4.2# ip a s

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever

5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:40:09:2d brd ff:ff:ff:ff:ff:ff inet 192.168.122.244/24 brd 192.168.122.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::5054:ff:fe40:92d/64 scope link valid_lft forever preferred_lft forever

sh-4.2# id uid=0(root) gid=0(root) groups=0(root)

sh-4.2# touch /file touch: cannot touch '/file': Read-only file system

sh-4.2# touch /var/www/html/content sh-4.2#

As you can see you can write to /var/www/html/ but not to / due to the selinux context.

You can see the selinux labeling by running:

[root@libvirt-sandbox ~]# ls -laZ /var/lib/libvirt/filesystems/httpd_container/

drwxr-xr-x. root root system_u:object_r:svirt_lxc_file_t:s0:c1,c2 . drwx--x--x. root root system_u:object_r:virt_var_lib_t:s0 .. drwxr-xr-x. root root system_u:object_r:svirt_lxc_file_t:s0:c1,c2 etc drwxr-xr-x. root root system_u:object_r:svirt_lxc_file_t:s0:c1,c2 home drwxr-xr-x. root root system_u:object_r:svirt_lxc_file_t:s0:c1,c2 root drwxr-xr-x. root root system_u:object_r:svirt_lxc_file_t:s0:c1,c2 usr drwxr-xr-x. root root system_u:object_r:svirt_lxc_file_t:s0:c1,c2 var

The cgroups are located and can be manipulated in the following directory structures:

/sys/fs/cgroup/cpu,cpuacct/system/libvirtd.service/system/httpd.service /sys/fs/cgroup/systemd/system/libvirtd.service/system/httpd.service

>
The OS level view of the LXC container:

[root@libvirt-sandbox ~]# ps axf ... 3500 ? Ss 0:00 /usr/libexec/libvirt_lxc --name httpd_container --console 21 --console 22 --security=selinux --handshake 25 --background --veth veth1 3501 pts/0 Ss+ 0:00 \_ /bin/systemd --unit sandbox.target --log-target console --system 3504 pts/1 Ss+ 0:00 \_ /bin/sh 3524 ? Ss 0:00 \_ /usr/sbin/httpd -DFOREGROUND 3572 ? S 0:00 | \_ /usr/sbin/httpd -DFOREGROUND 3573 ? S 0:00 | \_ /usr/sbin/httpd -DFOREGROUND 3574 ? S 0:00 | \_ /usr/sbin/httpd -DFOREGROUND 3575 ? S 0:00 | \_ /usr/sbin/httpd -DFOREGROUND 3576 ? S 0:00 | \_ /usr/sbin/httpd -DFOREGROUND 3615 ? Ss 0:00 \_ /sbin/dhclient --no-pid eth0

To stop the container:

[root@libvirt-sandbox ~]# virt-sandbox-service stop httpd_container

And finally to delete the container run:

[root@libvirt-sandbox ~]# virt-sandbox-service delete httpd_container

That should delete the following files:

/var/lib/libvirt/filesystems /etc/libvirt-sandbox/services/httpd_container.sandbox /etc/systemd/system/httpd@httpd_container.service

To create a new container running mysqld just use the systemd unit file for it.

For more information and examples check the main project page at [5].

Resources:

[1]. http://kaivanov.blogspot.com/2012/07/configuring-lxc-linux-containers.html
[2]. http://kaivanov.blogspot.com/2013/01/configuring-lxc-using-libvirt.html
[3]. http://kaivanov.blogspot.com/2013/02/installing-openstack-folsom-on-ubuntu.html
[4]. http://www.freedesktop.org/wiki/Software/systemd/
[5]. http://fedoraproject.org/wiki/Features/Securecontainers


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK