[lxc-users] Owner of an unprivileged container

Serge Hallyn serge.hallyn at ubuntu.com
Sat Apr 4 01:56:37 UTC 2015 

Quoting Bostjan Skufca (bostjan at a2o.si):
> Hi Serge,
> 
> is there any standard implementation for starting user-unprivileged
> containers at boot? I am not talking about containers which are uidmapped

No - that's another reason to use root-owned unprivileged containers.
You could write your own boot scripts to do it, but right now there is
no standardized support for it.  Hopefully we can talk about how to
do that properly with a systemd unit and lxc-autostart soon.

> (and started) by root to be unprivileged. I mean containers which are
> created by unprivileged users in their home dirs.
> 
> Tnx for info,
> b.
> 
> 
> On 3 April 2015 at 23:46, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> > Quoting Xavier Gendre (gendre.reivax at gmail.com):
> > > Hello,
> > >
> > > I run several containers on my server and, following the security
> > > advices, they are unprivileged. Each container belongs to one user
> > > and I am asking myself if this is a "good practice"...
> > >
> > > Thus my question is if there are some differences between:
> > > - an unprivileged container owned by root with 'lxc.id_map' in its
> > > config file to make it unprivileged,
> > > - a similar unprivileged container but owned by a classical user.
> > >
> > > From the practical point of view, I have to admit that a container
> > > owned by root is easier to handle but, from the security point of
> > > view, is it more safe to give the unprivileged container to an user
> > > than to root? Or is the namespace sufficient to avoid escape from an
> > > unprivileged container that belongs to root?
> >
> > The main difference would be that the container startup and the
> > container monitor end up running as root if started by root.  This
> > is a pretty small, but not zero, attack surface.
> >
> > > What are your "good practices" in the matter? All belong to root?
> > > All belong to one devoted user? Or, as what I do, one user for one
> > > container?
> >
> > Currently that's probably mainly decided by practicality.  If you
> > want to use an encrypted lvm backing store (I do) then you need
> > to have root start the container.  The biggest advantage in my
> > opinion of using fully unprivileged containers (starting them as
> > non-root user) is so that users other than you can create/start
> > them without having root access.  Failing that, I still prefer to
> > use fully unpriv containers myself when possible, to reduce the
> > amount of time I spend as root.
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list