8

What Linux-on-Linux virtualization technologies provide user isolation? Specifically, I want root in the virtual machine not to have any privilege on the host.

This was not the case for LXC, but was a long-term goal. Is root isolation available in recent versions? If so, which?

Apart from LXC, what is the status of root isolation for OpenVZ, VServer and any other contender?

tshepang
  • 65,642

1 Answers1

4

Most "lightweight" virtualization solutions are more or less based on the chroot-idea - with hidden processes from the "master". I did not see any CERTs about problems there but this does not seem to be what you are searching for.

A Hypervisor approach might be more the direction you are looking for - but I would not count that as "lightweight" (also a PV XEN DomU is pretty fast). Strictly speaking the Dom0 does not start the DomU - it tells the Hypervisor to do so - but there have beens CERTs about priviledge escalation (VMWare ESX and XEN). I don`t know about Hyper-V though.

For a better isolation of user rights - where there is a user-space process spawning an "isolated" VM there is VirtualBox - but again - not lightweight. This is full virtualization, but the VMs can be started as "normal" user. The user has to have access to the underlying disk - and if you want/need to - usb-devices.

Apart from that there is a kernel module for the networking stuff, which seems to work quite well (using DKMS).

Nils
  • 18,492