<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, May 3, 2016 at 6:49 PM, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>></span> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">Quoting Umberto Nicoletti (<a href="mailto:umberto.nicoletti@gmail.com">umberto.nicoletti@gmail.com</a>):<br>
> Hi all,<br>
> I am dipping my toes into LXC and I'm liking what I see so far.<br>
><br>
> I have one question about privileges/security inside containers: I have<br>
> started a container and then accessed it with:<br>
><br>
> lxc exec c1 /bin/bash<br>
><br>
> If I run netstat -anp it will refuse to show me process information for<br>
> processes that I do not own (even though I appear to be root).<br>
><br>
> For instance an haproxy instance listening on port 3000 appears as the<br>
> following (haproxy is running as user haproxy):<br>
><br>
> root@c1:~# netstat -anp | grep 3000<br>
> (Not all processes could be identified, non-owned process info<br>
> will not be shown, you would have to be root to see it all.)<br>
> tcp 0 0 <a href="http://127.0.0.1:3000" rel="noreferrer" target="_blank">127.0.0.1:3000</a> 0.0.0.0:* LISTEN<br>
> -<br>
><br>
> I am running the latest lxc/lxd on Ubuntu 16.04.<br>
><br>
> From what I have read I understand there is some uid mapping going on but I<br>
> was hoping someone could explain it to me or point me in the right<br>
> direction.<br>
<br>
</span>If I understand your email right, you'll be interested in<br>
<br>
man 7 user_namespaces<br>
<br>
(also available at <a href="http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html" rel="noreferrer" target="_blank">http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html</a> )<br>
<br>
Indeed your container root is privileged with respect to the container's<br>
resources, but is not root on the host. /proc/self/uid_map will show<br>
how container uids are mapped. For instances if you have<br>
<br>
root@trusty-gui:/# cat /proc/self/uid_map<br>
0 100000 65536<br>
<br>
then root (uid 0) in the container is uid 100000 on the host. It<br>
is privileged with respect to uids mapped into the container, which<br>
are host uids 100000-165535. The container root is not privileged<br>
against any task not owned by one of those host uids.<br></blockquote><div><br></div><div>Thanks for taking the time to answer.</div><div><br></div><div>This makes sense, still I don't understand why netstat won't show the pid and program for sockets owned by container processes like haproxy in my previous example.</div><div><br></div><div>haproxy has uid 106 in the container which is mapped to uid 100106 on the host so it should be among those manageable by uid 0 (in the container).</div><div><br></div><div>Umberto</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<br>
-serge<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></blockquote></div><br></div></div>