Protecting Applications in Linux LXC Containers
Sentinel LDK supports protected applications that execute in LXC containers under Linux, within the limitations described in this appendix.
The Product license for a protected application that runs in an LXC container can be deployed using either HL keys or using SL keys, as described below.
NOTE This appendix is applicable for applications that are protected and licensed using Sentinel LDK v.8.2 and later.
In this appendix:
Using SL Keys
Sentinel LDK supports the use of SL keys for protected applications that execute in a LXC container. The Run-time Environment can be installed on the host machine or within the LXC container.
The Run-time Environment and the SL key for a protected application that runs in a LXC container can be configured using one of the options described below.
>Option 1 - Outside of Container
| Type of Key | Location of Run-time Environment | Location of SL Key |
|---|---|---|
|
SL AdminMode key |
Host machine or remote machine | Host machine or remote machine |
The RTE and SL key are installed outside of the LXC container. This option does not have any limitations. The RTE works as usual. The protected application running in the LXC container accesses the license via network communication.
If the host machine is a physical machine, you can prevent installation of SL AdminMode keys in the container by disabling support for virtual machines when you create the keys.
>Option 2 - Within Container
| Type of Key | Location of Run-time Environment | Location of SL Key |
|---|---|---|
|
SL AdminMode key SL UserMode Key |
Within the container (RTE version must be 8.21 or later.) | Within the container |
You do not need to install anything on the host.
>Option 3 - Mixed Solution
| Type of Key | Location of Run-time Environment | Location of SL Key |
|---|---|---|
|
SL AdminMode key |
Within the container (RTE version must be 8.21 or later.) | Host machine or remote machine |
You install the RTE inside the container, but configure LXC to keep the license storage directories on the host to be able to install any kind of license.
NOTE You cannot install the RTE both inside the container and on the host. When using this option, ensure that the RTE executes only inside the container.
The host machine or remote machine (service) can supply a mounted persistence volume as SL storage. In a cloud environment, persistence volume is a resource that is backed by a persistent disk or volume service.
You can configure LXC to keep the license storage directories on the host using the LXC config file from /var/lib/lxc/<containername>/, Add the following commands to the config file, keeping the /var/hasplm and /etc/hasplm directories on the host.
lxc.mount.entry=/var/hasplm var/hasplm none bind,optional,0
lxc.mount.entry=/etc/hasplm etc/hasplm none bind,optional,0
Using HL Keys
Sentinel LDK supports the use of HL keys for protected applications that execute in a LXC container.
When installing Sentinel LDK Run-time Environment (RTE) for use with HL keys, the RTE can be installed either on the host machine or within the LXC container.
>Option 1 - Outside of Container
| Location of Run-time Environment | HL Key Access |
|---|---|
| Host machine | HL key accessed from the host machine |
The protected application running in the LXC container accesses the license on the HL key via network communication. Only network licenses are supported.
Thales recommends that you use this option if the license supports remote access. Access the HL key via the RTE and not directly from the LXC container.
>Option 2 - Within Container
| Location of Run-time Environment | HL Key Access |
|---|---|
| Within the container (RTE version must be 8.21 or later.) | HL key accessed from inside the container |
This includes a scenario in which the Licensing API accesses the HL keys directly, without the need for the RTE.
When the RTE is installed within the LXC container, the host must be configured to share the specific HL key. For example:
a.List USB key
$ lsusb
Bus 002 Device 006: ID 0529:0003 Aladdin Knowledge Systems
b.The device node is visible as:
$ ls -l /dev/bus/usb/002/006
crw-rw-rw- 1 root plugdev 189, 133 Apr 1 08:06 /dev/bus/usb/002/006
c.Add cgroup permissions to LXC config file (/var/lib/lxc/<containerName>/config):
lxc.cgroup.devices.allow = c 189:* rwm
lxc.mount.entry=/dev/bus/usb/002 dev/bus/usb/002 none bind,optional,create=dir