[lxc-devel] secure unprivileged containers
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Sep 22 14:59:48 UTC 2014
Quoting J Bc (javibc at esdebian.org):
> Hello, is it secure mount various unprivileged containers with the
> same user? or the correct way is one user, one unprivileged container?
To keep containers segregated you need separate uid ranges. A single
unprivileged user can be granted (multiple) large subuid range(s),
so that a single user can launch multiple segregated containers.
I.e. if user joe, uid 1000, has subuid range 100000-500000, he could
launch container 1 using 100000-199999, container 2 using
200000-299999, etc (leaving plenty of room for each container to
further nest containers inside itself).
-serge
More information about the lxc-devel
mailing list