Alpine LXC container

[LnxBil]

Hi everyone,

I'd like to understand some strangeness with the "default" Alpine LXC template as a minimal container (64 MB RAM, 32 MB Swap, 1 GB ZFS):

root@alpine-test / > free -m
             total       used       free     shared    buffers     cached
Mem:          1999       1842        157         49          0          0
-/+ buffers/cache:       1841        158
Swap:          999          0        999

root@alpine-test / > busybox free -m
             total       used       free     shared    buffers     cached
Mem:          1999       1845        154         49          0          0
-/+ buffers/cache:       1844        155
Swap:          999          0        999

root@alpine-test / > grep -Ei '(Mem|Swap)Total' /proc/meminfo
MemTotal:          65536 kB
SwapTotal:         32768 kB

I see with the busybox-binaries the memory and swap configuration of the host. I'm running pve-no-subscription with current (=today) patches (pve-manager/4.3-9/f7c6f0cd (running kernel: 4.4.21-1-pve)). This is different from any other container I used before.[/CODE]

 

[wbumiller]

Busybox's free implementation uses the sysinfo() syscall instead of the /proc and cgroup file systems. This syscall does not take cgroups or namespaces into account. Iow. it is not containerized.

 

[LnxBil]

Thanks Wolfgang, I thought of something similar. So, this is some kind of security flaw? I suppose it should not be that some old, low-level API is able to retrieve more information about the hypervisor than it should be, should it?

 

[dietmar]

So, this is some kind of security flaw?

No, I do not think this is a security flaw.

I suppose it should not be that some old, low-level API is able to retrieve more information about the hypervisor than it should be, should it?

A container does not provide a full isolation (it runs on the host kernel). Please use KVM if this is a requirement.