[lxc-users] Do nested containers require that unprivileged container creation be supported?

Nels Nelson nels.n.nelson at gmail.com
Sat Apr 5 16:55:58 UTC 2014

On Sat, Apr 5, 2014 at 7:22 AM, brian mullan <bmullan.mail at gmail.com> wrote:
> *See Stephane Graber's website (scroll down to section titled "Container
> Nesting"https://www.stgraber.org/2013/12/21/lxc-1-0-advanced-container-usage/
> <https://www.stgraber.org/2013/12/21/lxc-1-0-advanced-container-usage/>*

Thank you, Brian.  Is the app armor configuration a strict requirement for
container nesting?  Or are there any there other configuration options
which could support it?  For instance, something based on selinux?

I read Stephane's walkthrough yesterday and it seems straight forward
enough.  It looks like the ```lxc.aa_profile =
lxc-container-default-with-nesting``` option will somehow cause
the lxc-default-with-nesting apparmor config profile to get loaded.  I'm
not quite sure how that profile definition works, though.  Is it an
apparmor-specific format?  Will I have to re-compile lxc-1.0.2 with
apparmor support enabled (configure --enable-apparmor ...)?

Sorry to be so inquisitive...  What specifically does apparmor accomplish
which enables the container nesting?  Is it simply the management of
permissions?  Again, could this be accomplished somehow (albeit in an
admittedly more complex manner) without using apparmor?

I ask this for two reasons, first to understand how the nesting is actually
accomplished for my own understanding, but also to be able to consider the
possibility of reducing the dependency profile of the system implementing
these containers -- that is, perhaps it may be possible for me to
explicitly configure some permissions in a way that would securely enable
container nesting, but also make apparmor not completely necessary.  I'm
just trying to understand possibilities and options, is all.

*If you are not yet using LXC 1.0*

Yes.  Using lxc-1.0.2 with kernel 3.12.15.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140405/92b677fe/attachment.html>

More information about the lxc-users mailing list