Secure Execution Environments

LXC containers

Sort of Linux virtual host without virtualization.

  • LXC containers use the host Linux kernel.

  • But they use other namespaces for isolation.

    • Processes.

    • Network.

    • Mount.

An LXC container is a small Linux distribution that boots on top of a running kernel, and has an API to be controlled from host applications.

Privileged and unprivileged

Privileged

When the containers’ UID 0 is mapped to the host’s UID 0.

Protection of container’s abuses relies on the proper tuning of extra protections on the host’s kernel.

  • AppArmor, SELinux, capabilities, etc.

Unprivileged

When the containers’ UID 0 is mapped to a host’s UID different from 0.

Processes escaping from the containers’ sandboxing will have no special privileges in the host.

PreviousContainerNextPurpose

Last updated