openstack/security-doc
Code Issues Proposed changes
d9bfc84f0f
security-doc/security-notes/OSSN-0001
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes 
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

48 lines
2.3 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Selecting LXC as Nova Virtualization Driver can lead to data compromise
---
### Summary###
LXC does not provide the same level of separation as hypervisors when chosen as
the Nova 'virtualization driver'. Attempting to use LXC as a drop in
replacement for a hypervisor can result in data exposure between tenants.
### Affected Services / Software ###
Nova, LXC, Libvirt, 'Virtualization Driver'
### Discussion ###
The Libvirt LXC functionality exposed by OpenStack is built on the kernel
namespace & cgroup technologies. Until Linux 3.8, there has been no support for
separate user namespaces in the kernel. As such, there has been no way to
securely isolate containers from each other or the host environment using DAC
(discretionary access control). For example, they can escape their resource
constraints by modifying cgroups settings, or attack the host via various files
in the proc and sysfs filesystems. The use of MAC (mandatory access control)
technologies like SELinux or AppArmour can mitigate these problems, but it is
not practical to write MAC policies that would allow running full OS installs
in LXC under OpenStack.
Although initial user namespace support was merged in Linux 3.8, it is not yet
complete, or mature enough to be considered secure. Work is ongoing to finish
the kernel namespace support and enhance libvirt LXC to take advantage of it.
### Recommended Actions ###
The OSSG advises that anyone deploying Nova in environments that require any
level of separation use a hypervisor such as Xen, KVM, VMware or Hyper-V.
LXC security pivots on a system known as DAC (discretionary access control)
which is not currently capable of providing strong isolation of guests. Work is
underway to improve DAC but its not ready for production use at this time.
The OSSG recommends against using LXC for enforcing secure separation of
guests. Even with appropriate AppArmour policies applied.
### Contacts / References ###
Author: Robert Clark, HP
Nova : http://docs.openstack.org/developer/nova/
LXC : http://lxc.sourceforge.net/
Libvirt : http://libvirt.org/
KVM : http://www.linux-kvm.org/page/Main_Page
Xen: http://xen.org/products/xenhyp.html
LXC DAC : https://wiki.ubuntu.com/UserNamespace
LXC LibVirt Discussion : https://www.berrange.com/posts/2011/09/27/getting-started-with-lxc-using-libvirt/
View Git Blame Copy Permalink