ecryptfs-backed containers

During this cycle, the lxc package gained the ability to call ‘hooks’ at various points of a container’s life cycle. Just today, a new hook point was added to the quantal package, which supports a simple use of ecryptfs backed containers.

Why would you want that, you might ask? Well, it offers a few advantages. First, if you’re running your containers on a cloud instance, you can rest assured that if your instance’s disk space is re-used for someone else’s instance without first being zeroed out, the container rootfs contents will not be revealed. Secondly, the un-encrypted rootfs contents are never mounted in the host’s namespace (though they are accessible by privileged tasks through /proc/$$/root), so unprivileged tasks on the host should not be able to read those contents either. Third, there is the usual ecryptfs advantage of supporting simple encrypted backups.

Currently it takes a few extra steps to make use of this. During the next cycle, we will hopefully move all this work into the standard ‘ubuntu’ container creation template, so that a simple

lxc-create -t ubuntu -n e1 — -e 2be2810752901deb

will create container whose rootfs is encrypted by the fekek in your keyring with sig 2be2810752901deb. But for now, you’ll need to do:

  • add ‘lxc.hook.premount = /usr/share/lxc/hooks/mountecryptfsroot’ to the container’s configuration file
  • change the rootfs to /var/lib/lxc/ecryptfs-root in the configuration file by setting ‘lxc.rootfs = /var/lib/lxc/ecryptfs-root’
  • add the line ‘mount -> /var/lib/lxc/ecryptfs-root’ to /etc/apparmor.d/abstractions/lxc/start-container
  • convert your container’s root filesystem to be ecryptfs-backed. Assuming your container is called ‘q1’, do
    • c=q1
    • mv /var/lib/lxc/$x/rootfs /var/lib/lxc/$c/rootfs.plain
    • mkdir /var/lib/lxc/$c/rootfs{,.crypt}
    • sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1`
    • mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 rootfs.crypt rootfs
    • rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
    • umount /var/lib/lxc/$c/rootfs
    • rm -rf /var/lib/lxc/$c/rootfs.plain
  • Now you can start your container by adding the passphrase to your in-kernel keyring using ‘ecryptfs-add-passphrase’, then starting your container as normal.
    • echo none | ecryptfs-add-passphrase
    • lxc-start -n q1

(These directions are copied from those in the /usr/share/lxc/hooks/mountecryptfsroot file)

This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

5 Responses to ecryptfs-backed containers

  1. Marcus says:

    This is a very cool feature.
    Would it be safe to backport the lxc package from this cycle back to precise to get the hooks feature? I am not that much into lxc/cgroups/seccomp and stuff so I don’t know if it will all play well together. Any advice?

    • s3hh says:

      It should be safe, and in fact stgraber has them backported in ppa:stgraber/experimental and intends to push these to precise-backports.

      • s3hh says:

        Oh – sorry, regarding seccomp, the package build should simply detect that libseccomp is not there. (Unless it also ends up in precise-backports, in which case you’re good to go 🙂

  2. Ryan says:

    I’m wondering that if this feature has developed in lxc standard functionality. Recently I was finding a solution to encrypt container roofs from the host, so that the files in container can only accessed by container ssh user. But seems that I cannot find it in lxc document.

    • s3hh says:

      Yes, pre-mount hooks are upstream, you can see them listed in lxc.container.conf() manpage.
      Personally though, I’m currently only using luks-encrypted LVs for some container backing stores. For those, I don’t use any hooks, I just manually set up luks and start the containers from there.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s