During this cycle, the lxc package gained the ability to call ‘hooks’ at various points of a container’s life cycle. Just today, a new hook point was added to the quantal package, which supports a simple use of ecryptfs backed containers.
Why would you want that, you might ask? Well, it offers a few advantages. First, if you’re running your containers on a cloud instance, you can rest assured that if your instance’s disk space is re-used for someone else’s instance without first being zeroed out, the container rootfs contents will not be revealed. Secondly, the un-encrypted rootfs contents are never mounted in the host’s namespace (though they are accessible by privileged tasks through /proc/$$/root), so unprivileged tasks on the host should not be able to read those contents either. Third, there is the usual ecryptfs advantage of supporting simple encrypted backups.
Currently it takes a few extra steps to make use of this. During the next cycle, we will hopefully move all this work into the standard ‘ubuntu’ container creation template, so that a simple
lxc-create -t ubuntu -n e1 — -e 2be2810752901deb
will create container whose rootfs is encrypted by the fekek in your keyring with sig 2be2810752901deb. But for now, you’ll need to do:
- add ‘lxc.hook.premount = /usr/share/lxc/hooks/mountecryptfsroot’ to the container’s configuration file
- change the rootfs to /var/lib/lxc/ecryptfs-root in the configuration file by setting ‘lxc.rootfs = /var/lib/lxc/ecryptfs-root’
- add the line ‘mount -> /var/lib/lxc/ecryptfs-root’ to /etc/apparmor.d/abstractions/lxc/start-container
- convert your container’s root filesystem to be ecryptfs-backed. Assuming your container is called ‘q1′, do
- c=q1
- mv /var/lib/lxc/$x/rootfs /var/lib/lxc/$c/rootfs.plain
- mkdir /var/lib/lxc/$c/rootfs{,.crypt}
- sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1`
- mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 rootfs.crypt rootfs
- rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
- umount /var/lib/lxc/$c/rootfs
- rm -rf /var/lib/lxc/$c/rootfs.plain
- Now you can start your container by adding the passphrase to your in-kernel keyring using ‘ecryptfs-add-passphrase’, then starting your container as normal.
- echo none | ecryptfs-add-passphrase
- lxc-start -n q1
(These directions are copied from those in the /usr/share/lxc/hooks/mountecryptfsroot file)
This is a very cool feature.
Would it be safe to backport the lxc package from this cycle back to precise to get the hooks feature? I am not that much into lxc/cgroups/seccomp and stuff so I don’t know if it will all play well together. Any advice?
It should be safe, and in fact stgraber has them backported in ppa:stgraber/experimental and intends to push these to precise-backports.
Oh – sorry, regarding seccomp, the package build should simply detect that libseccomp is not there. (Unless it also ends up in precise-backports, in which case you’re good to go