Originally Posted by
TheFu
Are there known security issues with allowing containers access to the host's audio, video, and clipboard devices? How do we lock those down as much as possible?
Can someone compare using LXD to Firejail or mbox?
I use firejail both with a tmpfs overlay and just restrictions to subdirs under HOME for write. It is really, really, easy. Very lite. Haven't tried wayland - ever.
Anyways, all of this is great even if nothing is perfect, each is a step in the right direction to lock down risky processes just a little more than before. Golf claps all around! Very nice.
I tried all three of them. They all use the same Linux kernel security features to enforce the separation of processes. The main difference for me is in the usability to the end-user.
LXD is similar to Docker/Moby in that both are about containers. LXD differs from Docker/Moby in that it offers machine containers. That is, it's containers that behave just like additional servers/computers, inside your computer.
The purpose of LXD is to be a very light-weight KVM or Virtualbox. I am running now ten LXD machine containers on my desktop and they do not cause any degradation in performance.
LXD is meant to be used for services (servers), but it can be used for GUI apps as well.
My tutorial to get GUI apps on LXD is at https://blog.simos.info/how-to-run-g...buntu-desktop/
This tutorial tries to be simple, and re-uses the desktop X session (GPU and Pulseaudio server). It does not offer security separation over the low-level desktop X session. For security separation, it would need to use Xephyr instead.
Here are some use-cases for using LXD with GUI apps:
1. You want to install an app in Wine, but you do not want to mess with your desktop by installing all those 32-bit dependencies and what not. You install Wine in a LXD container instead.
2. You want to install Steam, and again do not want to mess with 32-bit packages and other stuff that get installed. You then have 2+ steam accounts and want an easy way to switch from one to the other. You just make a copy of the container and set up the new account.
3. You want to try a nodejs app (an example without GUI) but do not want to install all sort of dependencies. You install it in a LXD machine container and access over HTTP. For example, https://blog.simos.info/how-to-insta...lxd-container/ This provides good security separation.
Compared to mbox, here is how to do this with LXD,
Code:
$ lxc launch ubuntu:16.04 mytest
Creating mytest
Starting mytest
$ lxc exec mytest /bin/bash
root@mytest:~# cd /
root@mytest:/# ls
bin dev home lib64 mnt proc run snap sys usr
boot etc lib media opt root sbin srv tmp var
root@mytest:/# rm -fr *
root@mytest:/# ls
bash: /bin/ls: No such file or directory
root@mytest:/# echo *
dev proc run sys var
root@mytest:/# exit
$ lxc stop --force mytest
$ lxc delete mytest
$
In this example, we created a machine container called mytest with a brand-new and clean Ubuntu 16.04 installation. Then, we invoked a root shell in mytest. The next step was to rm -fr all files. Being a machine container, we only removed files inside the machine container.
We then exit the machine container, and we force-stop it. Finally, we delete "mytest" and that's it. All gone!
Here is the list of Linux distributions that are supported (as "guests") in LXD machine containers, https://us.images.linuxcontainers.org/
Overall, the main benefit of LXD to me is that it is simpler to use and you are less likely to make a mistake when using it.
For even easier GUI on LXD with proper X11 separation, it should be possible to take the code of Xephyr and create a lightweight clone of Virtualbox!
Bookmarks