Security objective we cannot blindly applying policies and expectations bring some value, but you should first define clear security goals.
Smack simplicity indeed qualify achievable objectives, we will seek to achieve the following objectives: to use the provided Web and ssh service isolation of file system to create the container. The container should be independent and to protect each other's security. Container vs1 cannot read another container vs2 files or interrupt its mandate. Host key files without a container. External access to the container's Web server and ssh server. General settings in this article, we will conduct two experiments: first set by SELinux protection container, and then set the container by the Smack protection. These two experiments demonstrates most of the basic settings. You can use a real machine to complete these two experiments, but easier to use the virtual machine. Kvm qemu or you want to use, you can create a hard disk qemu-imgcreatevm.img10G. Use the command boot from CDROM kvm-hdavm.img-cdromcdrom.iso-bootd-m512M virtual machine. To get the CDROM images, you can download from fedoraproject.org/get-fedora Fedora10fori386 installation DVD. Use the download file to replace the name of a command in cdrom.iso. The basic installation process, you can use the default, but you must not choose, but choose officeandproductivity softwaredevelopment. In addition, you need to use the yum package manager to install debootstrap and ncurses-develrpms bridge-utils,. Now you need to compile a custom kernel. Download kernel source rpm and use patch enable-netns.patch (see download section) to provide a network name space (the 2.6.29 for upstream (upstream), but is not in the Fedora10), and then change the configuration and compile and install. This requires as a root user with the following directives: yumdownloader--sourcekernelrpm-ikernel * cdrpmbuildrpmbuild-bcSPECS/kernel-* cdBUILD/kernel-2.6.27/<~ nable-netns.patcmakemenuconigmake&&makemodules_install&&makeinstall对于这两个实验,在makemenuconfig步骤中都需要选择networknamespaces(在networkingsupport-="">linux-2.6 * patch-p1 Networkingoptions menu). Experimental for Smack, you also need to enter the menu, deselect Securityoptions SELinux and selects the next option Smack. You will also need to be in default of/boot/grub/grub.conf boot entries to 0 instead of 1. Now we try liblxc. "LXC: Linux container tool" details liblxc basic usage, so there is no longer talk. Just use container_setup.sh script (see download section) to set up network bridge (bridge), container network devices will in this dialogue. It also clears the firewall (the default does not handle the bridges), and in the conduct of experimental set Smack Smack policy (we will create the file/etc/smackaccesses). After each reboot, or must run container_setup.sh set to run automatically at boot time (if you know how to do it). Now you are ready to virtual machine we to try liblxc. You can download from cvs lxc.sf.net through the latest source code and compile it as described in the following way: cvs-d pserveranonymous@lxc.cvs.sourceforge.net:/cvsroot/lxc logincvs-z3-d pserveranonymous@lxc.cvs.sourceforge.net:/cvsroot/lxc co-Plxccdlxc./bootstrap & & & &./configure & & make makeinstall now, if you view the README document, will find that there are several entry points can be selected. Container is very lightweight, because they share many of the resources and systems — including the file system. But our goal is to provide some simple isolation, use a script for each container lxc-debian create complete debianchroot image. First create a container named vsplain: mkdir/vsplaincd/vsplainlxc-debiancreatecontainername: vsplainhostname: vsplainIP10.0.2.20gateway: 10.0.2.2 the container's configuration is stored in/usr/local/var/lxc/vsplain directory. If you find a file named cgroup would see some to deVices. at the beginning of the line. These are device whitelist cgroup directive that coordinates implementation of device by the container to create, read and write. Use the command to start the container lxc-start-nvsplain. The login prompt appears. By does not require a password for the root user name to log on to the container. Finally, when the container is running, you need to execute the following command: apt-getinstallopenssh-serverapt-getinstallapace can now use ssh technology safely from the kvm host to the container, and use vsplain and host IP address (namely 10.0.2.20 and 10.0.2.15) see its Web page. You can pass command lxc-stop-nvsplain root from the kvm host container terminal is closed. Here, from this template clone two new virtual machines can save some time. Turn off vm and execution: cpvm.imgselinux.imgcpvm.imgsmack.img
No comments:
Post a Comment