[prev in list] [next in list] [prev in thread] [next in thread]
List: lxc-users
Subject: [lxc-users] LXD in VMs and image format stability
From: jhickman () 0metasecurity ! com
Date: 2017-01-21 8:42:47
Message-ID: 1484988167.772120480 () apps ! rackspace ! com
[Download RAW message or body]
Hi list.
I'm interested in using LXD in my penetration testing business to solve a couple of \
infrastructure issues I have, and wanted some feedback if I could get it.
I currently use XenServer 7 to run VMs for various purposes, both as a 'lab' for \
tesing tools and techniques, but also to host 'work' VMs for running security \
engagements against client systems.
I like XenServer and consider its performance quite good, but it would grant me extra \
flexibility if I could use LXD containers to provide isolated enviroments to run \
certain tools, do exploit development and reverse-engineering, etc.
Are their any particular disadvantages to having LXD itself inside a VM? Or is best \
practice to run it directly on bare metal? It seems like there would be some expected \
overhead lost in terms of CPU and some network throughput, but is there anything else \
I should know?
The other concern I had was about the 'export' feature of lxc. I want to use the \
export functionality to provide a complete copy of the enviroment and all work (logs, \
bash history, command spool, etc) and all files created (source and compiled exploit \
code, bespoke scripts and tools, etc) inside the container. That exported image is \
combined with other files from the engagement and then archived in air-gapped, \
encrypted storage. I understand from reading that the tarball is the rootfs from the \
container, so the files are obviously available. However, I would prefer to have the \
option of launching that container and interacting with the exact versions of all \
tools, frameworks etc as they were at the time of that engagement.
Put simply; if I have to unseal this archive 2-3 years later, does lxc provide any \
guarantee that the image will still import?
Thanks for any who take the time to read this wall of text.
Jon Hickman
Lead Penetration Tester, OSCP
0metasecurity.com
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic