Welcome to the Scenario-Based LXD/LXC Security course. This is the third course of a four-course learning path related to securing containers. The first course focused on teaching how to prepare and harden our operating system so that it is secured as much as possible. The second course was all about Docker containers and taught how to navigate through different situations within the context of Docker security. This time, we move on to another popular container known as Linux Containers (LXC) where we will get some in-depth insight to how to use them. LXD is a system container manager and an extension of LXC. Today, one is not used without the other.
In this course, we go over a series of best security practices. In order to do anything, we need to install LXC and initialize LXD. One useful security feature of the Linux kernel is seccomp, and we will talk about it within the context of LXC. Seccomp is used to allow and deny system calls with blacklists and whitelists. For unprivileged containers, it adds another layer of security and it is a good practice. Another useful thing we can do with LXC/LXD containers and container groups is limit their resource consumption. We can pose constraints on different parts of the system such as CPU usage, RAM usage, the amount of network traffic going in and out, etc. These restriction options are important because if our container starts overconsuming the resources of the system for any reason and we don’t have an alert system to warn us, that can result in a very slow system or our container can end up DoSing everything running on the system.
One practical example we will go through is the process configuring a container to be a tunnel through which we will redirect traffic. It will be an SSH tunnel with private and public keys, and all traffic will go through it. This shields us as the end user from being exposed and encrypts our traffic when traveling between two points.
Another practical example we will go through is the process of configuring and securing a container to run Apache Web Server for an application backend and frontend. We will be creating three separate containers for this: one for the backend, one for the database, and one for the frontend. We will need to configure proper communication between them and ensure we end up using best security practices and strong encryption.