OpenVZ Forum


Home » General » Support » OpenVZ and rootkits
OpenVZ and rootkits [message #42786] Fri, 27 May 2011 18:11 Go to next message
curtis_isparks is currently offline  curtis_isparks
Messages: 14
Registered: April 2011
Junior Member
Because OpenVZ does not have a hypervisor layer (where guests run their own kernel), it does make me wonder about security. Does it still provide protection for the HN against most rootkits that might be run inside a container? In other words, do rootkits that have no knowledge that they are being run inside a container also cause problems for the HN? Are there rootkits that are built specifically to break out of OpenVZ containers?

Thanks,

Curtis

Report message to a moderator

Re: OpenVZ and rootkits [message #42791 is a reply to message #42786] Sat, 28 May 2011 23:51 Go to previous messageGo to next message
curtis_isparks is currently offline  curtis_isparks
Messages: 14
Registered: April 2011
Junior Member
Lots of views on this posting, but it seems nobody knows the status of OpenVZ in regards to whether putting clients inside an OpenVZ container offers any protection against a hacker actually getting root access to the host node?

Why am I asking this? Well, it's a lot easier to rebuild a container than it is to completely reinstall a machine that has been hacked. But, am I fooling myself that by putting customers inside a container that I'm reducing the chances of a hacker actually getting access to the physical machine?

Report message to a moderator

Re: OpenVZ and rootkits [message #42792 is a reply to message #42791] Sun, 29 May 2011 11:44 Go to previous messageGo to next message
dzimi is currently offline  dzimi
Messages: 22
Registered: December 2008
Junior Member
Argh!! ( You cannot use links until you have posted more than 10 messages. )

openvz.livejournal.com/37305.html

read it. OWL patches would like to help you

[Updated on: Sun, 29 May 2011 11:45]

Report message to a moderator

Re: OpenVZ and rootkits [message #42834 is a reply to message #42792] Fri, 03 June 2011 18:14 Go to previous message
curtis_isparks is currently offline  curtis_isparks
Messages: 14
Registered: April 2011
Junior Member
dzimi wrote on Sun, 29 May 2011 07:44
Argh!! ( You cannot use links until you have posted more than 10 messages. )

openvz.livejournal.com/37305.html

read it. OWL patches would like to help you


Thanks for the suggestion, dzimi. It looks, however, that to use OWL, it acts as the host node OS, and I'm using Proxmox as my host OS.

Oh well, I am going to try asking this question another way, since this thread did not draw much response.

Curtis

Report message to a moderator

Previous Topic: Overcommit of memory kernel vs UBC
Next Topic: Can the root user break out of a container?
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Wed Sep 04 22:15:29 GMT 2024

Total time taken to generate the page: 0.05608 seconds
Powered by FUDforum Powered by Virtuozzo Containers