<div dir="ltr">Hi Serge,<div><br></div><div>is there any standard implementation for starting user-unprivileged containers at boot? I am not talking about containers which are uidmapped (and started) by root to be unprivileged. I mean containers which are created by unprivileged users in their home dirs.</div><div><br></div><div>Tnx for info,</div><div>b.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 3 April 2015 at 23:46, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Quoting Xavier Gendre (<a href="mailto:gendre.reivax@gmail.com">gendre.reivax@gmail.com</a>):<br>
> Hello,<br>
><br>
> I run several containers on my server and, following the security<br>
> advices, they are unprivileged. Each container belongs to one user<br>
> and I am asking myself if this is a "good practice"...<br>
><br>
> Thus my question is if there are some differences between:<br>
> - an unprivileged container owned by root with 'lxc.id_map' in its<br>
> config file to make it unprivileged,<br>
> - a similar unprivileged container but owned by a classical user.<br>
><br>
> From the practical point of view, I have to admit that a container<br>
> owned by root is easier to handle but, from the security point of<br>
> view, is it more safe to give the unprivileged container to an user<br>
> than to root? Or is the namespace sufficient to avoid escape from an<br>
> unprivileged container that belongs to root?<br>
<br>
The main difference would be that the container startup and the<br>
container monitor end up running as root if started by root. This<br>
is a pretty small, but not zero, attack surface.<br>
<br>
> What are your "good practices" in the matter? All belong to root?<br>
> All belong to one devoted user? Or, as what I do, one user for one<br>
> container?<br>
<br>
Currently that's probably mainly decided by practicality. If you<br>
want to use an encrypted lvm backing store (I do) then you need<br>
to have root start the container. The biggest advantage in my<br>
opinion of using fully unprivileged containers (starting them as<br>
non-root user) is so that users other than you can create/start<br>
them without having root access. Failing that, I still prefer to<br>
use fully unpriv containers myself when possible, to reduce the<br>
amount of time I spend as root.<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></blockquote></div><br></div>