[lxc-users] Owner of an unprivileged container

Serge Hallyn serge.hallyn at ubuntu.com
Fri Apr 3 21:46:46 UTC 2015


Quoting Xavier Gendre (gendre.reivax at gmail.com):
> Hello,
> 
> I run several containers on my server and, following the security
> advices, they are unprivileged. Each container belongs to one user
> and I am asking myself if this is a "good practice"...
> 
> Thus my question is if there are some differences between:
> - an unprivileged container owned by root with 'lxc.id_map' in its
> config file to make it unprivileged,
> - a similar unprivileged container but owned by a classical user.
> 
> From the practical point of view, I have to admit that a container
> owned by root is easier to handle but, from the security point of
> view, is it more safe to give the unprivileged container to an user
> than to root? Or is the namespace sufficient to avoid escape from an
> unprivileged container that belongs to root?

The main difference would be that the container startup and the
container monitor end up running as root if started by root.  This
is a pretty small, but not zero, attack surface.

> What are your "good practices" in the matter? All belong to root?
> All belong to one devoted user? Or, as what I do, one user for one
> container?

Currently that's probably mainly decided by practicality.  If you
want to use an encrypted lvm backing store (I do) then you need
to have root start the container.  The biggest advantage in my
opinion of using fully unprivileged containers (starting them as
non-root user) is so that users other than you can create/start
them without having root access.  Failing that, I still prefer to
use fully unpriv containers myself when possible, to reduce the
amount of time I spend as root.


More information about the lxc-users mailing list