hi
I plan to install some internet facing services on LXC, and I 'm reviewing the security.
The scenario is the worst case: the attacker has RCE with root privileges on the LXC.
will he be contained there?
The LXC is of course unprivileged.
I'm not considering any 0days of the kernel/OS, these are part of life and will be pathed hopefully sooner than later.
I noticed for example, that from the LXC lsblk shows me all PVE disks or that netdata shows all IO rates and much more.
Is there any additional hardening steps to safeguard the PVE host? what are the risks for the host and the other VMs/LXC
Is VM is the better/only way to go?
Thoughts and prayers are welcome...
m
I plan to install some internet facing services on LXC, and I 'm reviewing the security.
The scenario is the worst case: the attacker has RCE with root privileges on the LXC.
will he be contained there?
The LXC is of course unprivileged.
I'm not considering any 0days of the kernel/OS, these are part of life and will be pathed hopefully sooner than later.
I noticed for example, that from the LXC lsblk shows me all PVE disks or that netdata shows all IO rates and much more.
Is there any additional hardening steps to safeguard the PVE host? what are the risks for the host and the other VMs/LXC
Is VM is the better/only way to go?
Thoughts and prayers are welcome...
m
