'[lxc-users] LXD in VMs and image format stability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lxc-users
Subject:    [lxc-users] LXD in VMs and image format stability
From:       jhickman () 0metasecurity ! com
Date:       2017-01-21 8:42:47
Message-ID: 1484988167.772120480 () apps ! rackspace ! com
[Download RAW message or body]

Hi list.

I'm interested in using LXD in my penetration testing business to solve a couple of \
infrastructure issues I have, and wanted some feedback if I could get it.

I currently use XenServer 7 to run VMs for various purposes, both as a 'lab' for \
tesing tools and techniques, but also to host 'work' VMs for running security \
engagements against client systems.

I like XenServer and consider its performance quite good, but it would grant me extra \
flexibility if I could use LXD containers to provide isolated enviroments to run \
certain tools, do exploit development and reverse-engineering, etc.

Are their any particular disadvantages to having LXD itself inside a VM? Or is best \
practice to run it directly on bare metal? It seems like there would be some expected \
overhead lost in terms of CPU and some network throughput, but is there anything else \
I should know? 

The other concern I had was about the 'export' feature of lxc. I want to use the \
export functionality to provide a complete copy of the enviroment and all work (logs, \
bash history, command spool, etc) and all files created (source and compiled exploit \
code, bespoke scripts and tools, etc) inside the container. That exported image is \
combined with other files from the engagement and then archived in air-gapped, \
encrypted storage. I understand from reading that the tarball is the rootfs from the \
container, so the files are obviously available. However, I would prefer to have the \
option of launching that container and interacting with the exact versions of all \
tools, frameworks etc as they were at the time of that engagement.

Put simply; if I have to unseal this archive 2-3 years later, does lxc provide any \
guarantee that the image will still import? 

Thanks for any who take the time to read this wall of text. 

Jon Hickman
Lead Penetration Tester, OSCP
0metasecurity.com

_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic