Creating secure LXC containers with virt-sandbox-service

In my previous articles [1], [2] and [3] I demonstrated how to create LXC containers using the LXC user-space tools, libvirt and OpenStack . The problem with out-of-the-box LXC "containers" is that they lack security, mainly because they are just implementation of kernel features like network and filesytem namespaces and control groups (cgroups).

Even though this provides process isolation it does not provide any level of security. The best way to work around this is to create selinux contexts for each LXC process and this is what the virt-sandbox-service provides. It takes advantage of the selinux MLS labeling to confine users and processes.

This feature has been available since Fedora 17 and is well integrated with the new systemd System and Service Manager [4], by using Unit Configuration Files. A unit configuration file encodes information about a service, a socket, a device, a mount point, an automount point, a swap file or partition, a start-up target, a file system path, or a timer controlled and supervised by systemd.

In the following example I'll demonstrate how to start httpd service in a LXC container using Fedora 18 and the virt-sandbox-service utility.

First, make sure selinux is running in enforcing mode:

Next install the dependencies:

To create the httpd container run:

The options are as follows:

-C clones content from /etc and /var directories that will be mounted within the container.
-l is the MLS Level with which to run the container.
-u is the systemd Unit File to run within the container.

To start the container execute:

To list the running containers run:

Alternatively you can use virsh:

To connect to the container run:

As you can see you can write to /var/www/html/ but not to / due to the selinux context.

You can see the selinux labeling by running:

The cgroups are located and can be manipulated in the following directory structures:
The OS level view of the LXC container:

To stop the container:

And finally to delete the container run:

That should delete the following files:

To create a new container running mysqld just use the systemd unit file for it.

For more information and examples check the main project page at [5].