From bf7f598a793facf19056a2edbe143be2e6eb92c1 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Fri, 14 Feb 2020 17:47:26 +0100 Subject: [PATCH] pct: move "security considerations" below CT settings Signed-off-by: Thomas Lamprecht --- pct.adoc | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/pct.adoc b/pct.adoc index 9bedab7..2502bcb 100644 --- a/pct.adoc +++ b/pct.adoc @@ -86,26 +86,6 @@ Technology Overview * Container setup from host (network, DNS, storage, etc.) -Security Considerations ------------------------ - -Containers use the kernel of the host system. This creates a big attack surface -for malicious users. This should be considered if containers are provided to -untrustworthy people. In general, full virtual machines provide better -isolation. - -However, LXC uses many security features like AppArmor, CGroups and kernel -namespaces to reduce the attack surface. - -AppArmor profiles are used to restrict access to possibly dangerous actions. -Some system calls, i.e. `mount`, are prohibited from execution. - -To trace AppArmor activity, use: - ----- -# dmesg | grep apparmor ----- - [[pct_container_images]] Container Images ---------------- @@ -576,6 +556,26 @@ It will be called during various phases of the guests lifetime. For an example and documentation see the example script under `/usr/share/pve-docs/examples/guest-example-hookscript.pl`. +Security Considerations +----------------------- + +Containers use the kernel of the host system. This exposes an attack surface +for malicious users. In general, full virtual machines provide better +isolation. This should be considered if containers are provided to unkown or +untrusted people. + +To reduce the attack surface, LXC uses many security features like AppArmor, +CGroups and kernel namespaces. + +AppArmor profiles are used to restrict access to possibly dangerous actions. +Some system calls, i.e. `mount`, are prohibited from execution. + +To trace AppArmor activity, use: + +---- +# dmesg | grep apparmor +---- + Guest Operating System Configuration ------------------------------------