Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Containers
User Name
Linux - Containers This forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.


  Search this Thread
Old 09-15-2018, 04:27 PM   #1
Registered: Nov 2017
Location: Germany / Bonn
Distribution: Deepin Linux, Debian
Posts: 65

Rep: Reputation: 1
Is a firewall needed in an LXD Containier e.g Apache/Owncloud

I have created a Ubuntu LXD host under a Hyper-V server with some containers running in bridged mode.

1. HAProxy SSL
2. Owncloud
3. Wordpress
4. Kopano Mail System...etc.

What about the security of LXD containers?
Some say that a container of this kind should be treated like a normal operating system and the same security measures should be taken accordingly.
Normally I would then use at least a combination of 'iptables' and 'fail2ban'.
Others think that the isolation by the containers in combination with AppArmor and the reduction of the root account, bring enough security?

I honestly can't imagine it right. Can a container like the SSL proxy be hijacked in the same way just like a normal host, and does it need to be secured by e.g. ' iptabels'?

What are your security concepts in this area?

Last edited by taumeister; 09-17-2018 at 04:43 AM.
Old 09-17-2018, 02:47 AM   #2
LQ Guru
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 11,857

Rep: Reputation: 3606Reputation: 3606Reputation: 3606Reputation: 3606Reputation: 3606Reputation: 3606Reputation: 3606Reputation: 3606Reputation: 3606Reputation: 3606Reputation: 3606
I think you mixed two different things: containers are isolated from each other and the host. But they work (more or less) as a VM and if you allow external access they will need the same protection as any other OS.
1 members found this post helpful.
Old 09-17-2018, 04:40 AM   #3
Registered: Nov 2017
Location: Germany / Bonn
Distribution: Deepin Linux, Debian
Posts: 65

Original Poster
Rep: Reputation: 1
Hello and thank you very much for your answer.
No, I'm not mixing anything here and I'm well aware of the difference.
And containers are almost like virtual machines but not complete.
They are much more isolated and the permissions within them are greatly reduced.
Normal containers are not privileged either.

But at the end of the day I came to a similar conclusion and limited all containers via iptables to the ports used as well as secured them with fail2ban - at least the two web servers.
Additionally I will read the BSI pages about basic protection and isolation of LXD environments.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] No permission to access owncloud with apache vincix Linux - Newbie 1 06-12-2016 02:08 PM
LXer: ownCloud Community Comes Up Big Delivering ownCloud 7 Community Edition LXer Syndicated Linux News 0 08-05-2014 07:30 PM
Move owncloud 4 to owncloud 5 to a different server the_bigbalu Linux - Server 2 05-28-2013 02:31 AM
LXer: ownCloud Inc. and the ownCloud community LXer Syndicated Linux News 0 12-16-2011 12:50 PM
Centos Firewall...needed if already behind a firewall? JohnRock Linux - Networking 7 05-22-2009 03:49 PM > Forums > Linux Forums > Linux - Containers

All times are GMT -5. The time now is 12:18 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration