====== LinuX Containers (LXC) ======

===== Links =====

  * [[https://landscape.cncf.io/category=container-runtime&format=card-mode&grouping=category|Kategorie Container]]
  * [[https://www.infopoint-security.de/aktuelle-container-technologien-haben-schwaechen-in-der-isolation/a20141/|Aktuelle Container-Technologien haben Schwächen in der Isolation]] Original: [[https://unit42.paloaltonetworks.com/making-containers-more-isolated-an-overview-of-sandboxed-container-technologies/|Making Containers More Isolated: An Overview of Sandboxed Container Technologies]]



===== Konfiguration =====

lxc-checkconfig

==== lxd-daemon ====

https://github.com/lxc/lxd


==== storage backends ====

unterstützte BACKENDs: btrfs, ceph, dir, lvm or zfs.


===== live migration =====

sudo apt install criu

lxc move host1:$somename host2:$somename



===== Security =====

Grundregeln
  * privilegierte Container -> root-Rechte
  * lxd-Gruppenmitgliedschaft -> root-Rechte
  * Zugriff auf den LXD socket -> root-Rechte

^ Security Settings (verhindert nested containers!):
^ Key  ^ Type  ^ Default  ^ Required  ^ Description  ^
| security.mac_filtering  | boolean | false  | no  | Prevent the instance from spoofing another's MAC address |
| security.ipv4_filtering  | boolean | false  | no  | Prevent the instance from spoofing another's IPv4 address (enables mac_filtering) |
| security.ipv6_filtering  | boolean | false  | no  | Prevent the instance from spoofing another's IPv6 address (enables mac_filtering) |

One can override the default bridged NIC settings from the profile on a per-instance basis using:

lxc config device override <instance> <NIC> security.mac_filtering=true

==== Links ====

  * **https://linuxcontainers.org/lxc/security/**
  * https://lxd.readthedocs.io/en/latest/security/
  * https://github.com/lxc/lxd#security
  * https://linuxcontainers.org/lxd/getting-started-cli/#access-control
  * https://reboare.github.io/lxd/lxd-escape.html