linux - Using minimal LXC containers as an advanced and secure chroot to isolate services

05
2014-04
  • kuroneko

    First of all I'm not a security expert, and I never used LXC before.

    I'm trying to harden as much as possible a Gentoo hardened server. To do so, I'm thinking to use LXC, maybe combined with KVM, to isolate as much as possible network services.

    I read the LXC unix manual page, but it's still pretty obscure to me how Linux containers are setup. Looking on the internet for more information, I've only found documentation about running an entire system inside a Linux container which isn't what I'd like to do.

    What I want to use LXC for, is running just one application inside a container including only the strict minimal files / resources required by the application. I do not want to run an entire system inside a container, avoiding even having busybox.

    For example, I'd like to isolate the ntpd service, as far as I know to be able to synchronize the system clock, I can't run it inside a VM. But I could run it inside a chroot, or I suppose I could run it inside a Linux container for a better isolation and security.
    To do so I would have to:

    1. Identify what files ntpd requires like when setting up a chroot jail.
    2. This where I don't know what to do and how: LXC configuration, template, where to put my files to set up the container, etc.
    3. Run it with lxc-execute

    Is it something possible? What would be the various steps to build, run and manage such a container?

    • Answers
  • allquixotic

    Historically, LXC has had many showstopping security issues that prevent it from being truly isolated, but infrastructure enhancements in the mainline Linux kernel have alleviated most (if not all) of these concerns.

    See here for an overview of the security problems / enhancements that have been observed in successive Ubuntu releases bundling LXC.

    I found this Oracle Unbreakable Enterprise Kernel documentation to be particularly useful for explaining how to do application-level containers.

    From the docs:

    Application containers are not created by using template scripts. Instead, an application container mounts all or part of the host's root file system to provide access to the binaries and libraries that the application requires. You use the lxc-execute command to invoke lxc-init (a cut-down version of /sbin/init) in the container. lxc-init mounts any required directories such as /proc, /dev/shm, and /dev/mqueue, executes the specified application program, and then waits for it to finish executing. When the application exits, the container instance ceases to exist.


    • Related Question

    partitioning - How to force files together on a Linux partition?
  • Tom Wijsman

    I have a dynamically expanding VDI file which is 14 GB big while the partition itself is only 2 GB.

    The files are too spread out over the disk so zero-ing the free space and compacting the VDI didn't help, if I can get the files too be together on the disk like MyDefrag can do on Windows I can spare out 12 GB.

    Steps taken so far:

    • Made root partition as small as possible. (NCurses Disk Usage shows only 2 GB left)
    • Used zerofree on the root partition.
    • Used the VirtualBox tools to compact the VDI file. (It went from 16 GB -> 14 GB)

    The file should be half the size of what it is now...

    Info about the disk:

    Disk /dev/sda: 536.9 GB, 536870912000 bytes  
255 heads, 63 sectors/track, 65270 cylinders  
Units = cylinders of 16065 * 512 = 8225280 bytes  
Sector size (logical/physical): 512 bytes / 512 bytes  
I/O size (minimum/optimal): 512 bytes / 512 bytes  
Disk identifier: 0x837d7521  

   Device Boot      Start         End      Blocks   Id  System  
/dev/sda1               1           5       40131   83  Linux  
/dev/sda2               6          71      530145   82  Linux swap / Solaris  
/dev/sda3              72       65270   523710967+  83  Linux


Model: ATA VBOX HARDDISK (scsi)
Disk /dev/sda: 537GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End     Size    Type     File system     Flags
 1      32.3kB  41.1MB  41.1MB  primary  ext2
 2      41.1MB  584MB   543MB   primary  linux-swap(v1)
 3      584MB   537GB   536GB   primary  ext3


Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda3            515492812   2443136 486864128   1% /

    I'm currently trying to defragment it, then I'll do the zerofree and compact steps again.

    This might work...

    Total Files:                    178174
Fragmented Files:               25881
File Fragmentation Rate:        14.5256883720408%
Avg File Fragments(1 is best):  1.16055653462346

    But does it?

    Done!
Now lets see the results...
Statistics for /
Total Files:                    0
Fragmented Files:               0
Illegal division by zero at /usr/sbin/defragfs line 193.

    Ouch, fail... It broke my install (kernel panic), I think I still have a back-up of a month ago.

    Don't worry about it, I only have to emerge --sync; emerge -Du world; svn up on the back-up...
    I currently use it for native Linux developing only, that's why I need it to be 3 GB and not 14 GB.


    • Related Answers
  • harrymc

    If your problem is the layout of the partitions, you can use any partitioning product.
    Just download the image of the boot CD of any partitioning product and boot with it as you would with a real physical computer. GParted is one possible choice.

    If the partitions won't resize, defragmentation might be required. Although the file system on Linux is organized more efficiently than on Windows, it is not immune to this need. Linux File System Defragmenter is one possible solution.

    EDIT

    Sorry about losing the kernel.

    Weird: Having a file-system with 1% used that can't resize is really weird.
    Did you have on it some large files that you deleted?

    In any case, defragmenters for ext3 are rare, unlike ext4 which is planned to eventually include an online defragmentation utility. However, here are some utilities that may play nicer with your disk. Be sure to read well the README files.

    Shake is a defragmenter that runs in userspace, without the need of patching the kernel and while the system is used (for now, on GNU/Linux only).

    Defrag the first is a shell-level script.

    Defrag the second is another shell-level script.

  • Neal

    May not be the best solution, but an easy way would be to copy the filesystem on the partition to a new partition, using copy -a to preserve the file attributes.

    A quick edit of fstab to mount the new partition in place of the old one and away you go...

  • slhck

    How to effectively compact Linux Virtual Machine: http://kb.parallels.com/en/5683

    In Parallels Desktop version 3:

    • Click Hard Disk 1
    • Advanced
    • click Compact

    In Parallels Desktop version 4:

    • Start Parallels Image Tools from Applications/Parallels
    • Select Disk to compact pointing to Virtual Machine pvm
    • Click "Choose" button
    • Click "Continue"
    • Select "Compact Disk"
    • Click "Start"