[PVE-User] Container less secure than KVM?

Scott Dowdle dowdle at montanalinux.org
Fri Jun 20 19:22:21 CEST 2014


----- Original Message -----
> I have notice that I can access the entire FileSystem of a OpenVZ
> Container, from Proxmox...
> Is that right?
> For my point of view, this is a security breach, once I can remove
> all files in /var/lib/vz/private/<VMID>!!!
> Or am I wrong?

That's how it has been (to the best of my knowledge) since SWsoft create Virtuozzo in 2001 and released OpenVZ in 2005.  About two years ago they added the ability to use disk image with ploop... kinda like how KVM does it.  It isn't a security breach.

You can also remove KVM VM disk images from the host node... and if you have libguestfs and tools installed, you can access the internals of those disk images and alter things as desired.

Any other questions? :)

Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]

More information about the pve-user mailing list