Configure tomcat running in chroot jail with latest version of Proxmox

[Ilgar]

Hello there! I have a problem with starting tomcat in chroot jail with latest Proxmox since it's using LXC. When it used OpenVZ it's all worked well. The problem is i need to mount proc to the chroot environment (it was ok before, with older version of Proxmox) and i can't do this, i get the error:
mount: /proc is write-protected, mounting read-only
mount: cannot mount /proc read-only
This is important step to get tomcat running in chroot so i can't skip it. Also i need to run tomcat in chroot because there are no excess utilities like cron, which was used to start mining malware by schedule on my server.

Thanks for helping!

 

[LnxBil]

proc is automatically mounted, so do not use it inside your startup script.

I don't see the relation between chroot, cron and mining malware. Everything is as simple as it was without a container or a chroot. You do not have any additional security against mining malware.

 

[Ilgar]

I just want to start tomcat in chroot jail within LXC container. General requirement to start tomcat in chroot jain is mount proc to chroot folder. At the moment i cant do this:
mount -t proc proc /opt/chroot/proc
then i get the error
mount: cannot mount /proc read-only
How can i mount it? Tomcat isn't working in chroot jail without mounting proc

 

[LnxBil]

The question is: why do you want to run it inside a chroot inside of an LX(C) container? The container itself does work similar to a chroot, only with more security (like beeing not able to remount stuff like proc).

Just create an ordinary unprivileged container and install and run tomcat there. Additionally, configure your PVE firewall for that container properly and you have a very secure system.

 

[Ilgar]

Thanks for the reply! How can LXC prevent changing cron through vulnerabilities? I used tomcat without chroot before, until i get problem with mining malware. There was a vulnerability in Struts framework and there was a possibility to create cron task by sending huge POST request. This cron task downloaded and started mining malware. I decided to run tomcat within chroot jail without cron or any other excess utilities and it helped to prevent this attack. Will LXC prevent it like a chroot?

At the moment i'm using privileged container

 

[LnxBil]

How can LXC prevent changing cron through vulnerabilities?

Update your server regularly.

This cron task downloaded and started mining malware.

Firewall will prevent machine from accessing the internet, so it cannot be downloaded.

Will LXC prevent it like a chroot?

LXC separates your virtualised system from your host. Secure your stuff, then you do not have to worry about exploits and stuff.

At the moment i'm using privileged container

Don't. Use unprivileged containers for security purposes.

 

[Ilgar]

What if we have vulnerability but there is no hotfix for this?
Also i can't get how can i configure firewall to prevent machine from accessing the internet while tomcat needs internet connection? There is a web-server which interact with different web-server through http.

 

[LnxBil]

What if we have vulnerability but there is no hotfix for this?

What is this for software does not fix its bugs?

Also i can't get how can i configure firewall to prevent machine from accessing the internet while tomcat needs internet connection? There is a web-server which interact with different web-server through http.

Your webserver connects to other webservers (hopefully https, not http as you wrote)? Are these server always the same, e.g. one fixed set of services and servers? If so, just create firewall rules that allow traffic to those sites and reject all other connections.