Scenario Based LXD/LXC Security

By Ermin

Learn how to use the popular container known as Linux Containers (LXC), as well as LXD (a system container manager and extension of LXC).

9 hours
  • 32 Lessons
  • 5 Hands-On Labs

About the course

Welcome to the Scenario-Based LXD/LXC Security course. This is the third course of a four-course learning path related to securing containers. The first course focused on teaching how to prepare and harden our operating system so that it is secured as much as possible. The second course was all about Docker containers and taught how to navigate through different situations within the context of Docker security. This time, we move on to another popular container known as Linux Containers (LXC) where we will get some in-depth insight to how to use them. LXD is a system container manager and an extension of LXC. Today, one is not used without the other.

In this course, we go over a series of best security practices. In order to do anything, we need to install LXC and initialize LXD. One useful security feature of the Linux kernel is seccomp, and we will talk about it within the context of LXC. Seccomp is used to allow and deny system calls with blacklists and whitelists. For unprivileged containers, it adds another layer of security and it is a good practice. Another useful thing we can do with LXC/LXD containers and container groups is limit their resource consumption. We can pose constraints on different parts of the system such as CPU usage, RAM usage, the amount of network traffic going in and out, etc. These restriction options are important because if our container starts overconsuming the resources of the system for any reason and we don’t have an alert system to warn us, that can result in a very slow system or our container can end up DoSing everything running on the system.

One practical example we will go through is the process configuring a container to be a tunnel through which we will redirect traffic. It will be an SSH tunnel with private and public keys, and all traffic will go through it. This shields us as the end user from being exposed and encrypts our traffic when traveling between two points.

Another practical example we will go through is the process of configuring and securing a container to run Apache Web Server for an application backend and frontend. We will be creating three separate containers for this: one for the backend, one for the database, and one for the frontend. We will need to configure proper communication between them and ensure we end up using best security practices and strong encryption.

  • Chapter 1 7 Lessons Getting Started 19:55

    An Important Note About A Cloud Guru and Linux Academy Courses

    1:19

    About the Author

    1:45

    About the Course

    5:41

    How to Get Help

    1:40

    Prerequisites

    2:45

    Text Editor Vim Basics (Optional)

    3:18

    Job Market (Optional)

    3:27
  • Chapter 2 8 Lessons Best Practices 3:13:22

    Getting Started

    6:23

    Resource Limits Part 1 - CPU Cores

    7:39

    Resource Limits Part 2 - CPU Time

    8:15

    Resource Limits Part 3 - RAM

    7:38

    Seccomp - Whitelists and Blacklists

    13:27

    Create a Custom Image with the Given Specifications

    45:00 Hands-On Lab

    Configure Resource Limits

    1:00:00 Hands-On Lab

    Modify Seccomp Profile of a Container

    45:00 Hands-On Lab
  • Chapter 3 16 Lessons Applications and Services 5:37:46

    SSH Tunnel Part 1 - SOCKS5 Proxy, VPN, Container Port Forwarding

    11:25

    SSH Tunnel Part 2 - SOCKS5 Proxy, VPN, Container Port Forwarding

    9:06

    SSH Tunnel Part 3 - SOCKS5 Proxy, VPN, Container Port Forwarding

    4:58

    Configure and Secure a Container to Run Apache Web Server for Application Front End Part 1 - Web Server Container Front End Setup and Configuration

    7:41

    Configure and Secure a Container to Run Apache Web Server for Application Front End Part 2 - Web Server Container Front End Setup and Configuration

    10:31

    Configure and Secure a Container to Serve Application Back End via Apache Part 1 - Apache Web Server, Initial Setup Configuration

    7:41

    Configure and Secure a Container to Serve Application Back End via Apache Part 2 - Web Server Container Back End Setup, Configuration, Nonstandard Ports, and SSL

    10:34

    Configure and Secure a Container to Serve Application Back End via Apache Part 3 - Install and Create a Database

    8:29

    Configure and Secure a Container to Serve Application Back End via Apache Part 4 - Database User Creation and Access Rights

    6:33

    Configure and Secure a Container to Serve Application Back End via Apache Part 5 - Database, Firewall, and Access rights

    8:37

    Configure and Secure a Container to Serve Application Back End via Apache Part 6 - Get and Configure Flask App Rest API

    7:28

    Configure and Secure a Container to Serve Application Back End via Apache Part 7 - Get and Configure Flask App Rest API

    11:51

    Configure and Secure a Container to Serve Application Back End via Apache Part 8 - Proxy Config, Troubleshooting, and Testing

    11:26

    Configure and Secure a Container to Run Apache Web Server for Application Front End Final - Wrapping Up Loose Ends

    11:26

    Design a Container to Run a Proxy

    1:30:00 Hands-On Lab

    Create and Deploy an Application Back End

    2:00:00 Hands-On Lab
  • Chapter 4 1 Lesson Final Steps 2:51

    Course Summary

    2:51

What you will need

  • * ## Python Programming Language * ## Bash Scripting * ## Vim Text Editor * ## Linux File System * ## Linux Command Line * ## Basic Understanding of Networks

What are Hands-on Labs

What's the difference between theoretical knowledge and real skills? Practical real-world experience. That's where Hands-on Labs come in! Hands-on Labs are guided, interactive experiences that help you learn and practice real-world scenarios in real cloud environments. Hands-on Labs are seamlessly integrated in courses, so you can learn by doing.

Get Started
Who’s going to be learning?
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!