[pve-devel] Opinion of Proxmox's Virtualisation Experts regarding: LightVM

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Nov 13 06:30:21 CET 2017


Hi,

On 11/11/2017 10:26 AM, Thomas wrote:
> I have received some interesting information regarding LightVM <http://cnp.neclab.eu/projects/lightvm/>.

Not directly related to your security question but as this project
is building on Xen it cannot coexists with our KVM VMs and needs
another kernel too.

> In a white paper <http://cnp.neclab.eu/projects/lightvm/lightvm.pdf> there's a statement related to to pros and cons of container-based solutions (page 2):
> "However, no technology is perfect, and containers are no exception: security is a continuous thorn in their side. The main culprit is the hugely powerful kernel syscall API that containers use to interact with the host OS. This API is very broad as it offers kernel support for process and thread management, memory, network, filesystems, IPC, and so forth: Linux, for instance, has 400 dfferent system calls [37], most with multiple parameters and many with overlapping functionality; moreover, the number of syscalls is constantly increasing (see figure 1). The syscall API is fundamentally more diffcult to secure than the relatively simple x86 ABI offered by virtual machines where memory isolation (with hardware support) and CPU protection rings are sufficient."
> [37] MAN page. [n. d.]. Linux system calls list. http://man7.org/linux/manpages/man2/syscalls.2.html. ([n. d.])
> Question:

> What is the experts opinion on the statements regarding security concerns/issues?

Also VMs are not locked down, there's memory to be moved, IO to happen, ...
And where this happens there is often room for security implications.

Although yes, the attack surface for a "host take over" is smaller,
but containers are not as open as they suggest, IMO.

Parts of the API are inaccessible from a CT as syscalls are filtered
with seccomp. apparmor profiles enforce mandatory access controls for
doing stuff (e.g. mounting something) then the CT lives in its own
namespaces, away from other processes with reduced capabilities.

For a far better and more extensive overview read:
https://linuxcontainers.org/lxc/security/
Unprivileged CTs are available in PVE, if you are concerned about security,
then those are a really good choice.

cheers, Thomas





More information about the pve-devel mailing list