[lxc-users] LXC and Unprivileged containers - purpose and status - talks

Benoit GEORGELIN - Association Web4all benoit.georgelin at web4all.fr
Tue Aug 18 14:21:18 UTC 2015


Thanks for your answer. 
Looks like there is good ressources . 

Cordialement, 

Benoît Georgelin 


De: "Luis M. Ibarra" <michael.ibarra at gmail.com> 
À: "lxc-users" <lxc-users at lists.linuxcontainers.org> 
Envoyé: Lundi 17 Août 2015 12:41:43 
Objet: Re: [lxc-users] LXC and Unprivileged containers - purpose and status - talks 

Hi all, 

There's going to be excellent talks in ContainerCon[1] this week, but I don't know if the talks are going to be streamed later. 

For User Namespaces, I follow this tutorial[2] which explains pretty well how user namespaces work. Also, check user_namespaces(7) and capabilities(7), here you find pretty much how linux capabilities is used in conjunction with user namespaces to get super user inside the container regarding being created as a normal user in the host. 
Finally, in lxd/specs/userns-idmap[3] you'll find many cases where user namespaces can save your life if things go really wrong. 

If you want a simple solution of unpriv containers, you should check LXD which is really awesome, but it's still in heavy development. 


[1] http://events.linuxfoundation.org/events/containercon/program/schedule 
[2] https://www.youtube.com/watch?v=kKCdPouT-dQ 
[3] https://github.com/lxc/lxd/blob/master/specs/userns-idmap.md 



Greetings, 




2015-08-17 3:17 GMT-05:00 Narcis Garcia < informatica at actiu.net > : 


I've read somewhere: 
"Ubuntu is also one of the few (if not only) Linux distributions to come 
by default with everything that's needed for safe, unprivileged LXC 
containers" - and not LTS versions. 


El 17/08/15 a les 06:48, Benoit GEORGELIN - Association Web4all ha escrit: 
> Hi lxc-users :) 
> 
> I'm currently working and playing around with LXC containers. I came 
> across "Unprivileged Containers" 
> I would like to get some feedback about this really interesting feature. 
> It's not easy to get a good tour about the technology and about the 
> maturity of this kind of containers. First because I'm not technical 
> enough to understand the differences between LXC and OpenVZ (besides 
> Cgroups and kernels needs) , second because I'm not able to find 
> documentation, talks or paper about it. 
> I'm here to talk about it, try to merge information from you guys and 
> eventually make something public that can be shared to everyone having 
> the same questions :) 
> 
> As I'm looking at containers for shared environments, I'm more concerned 
> about security. There is few concerns I have regarding LXC with both 
> privileged and unprivileged containers. 
> 
> -Network stand point 
> 
> By default LXC have great network management and integration (with 
> privileged containers) but this is without any secure solution about 
> network spoofing (MAC, IP, Etc..) 
> I know, maybe it's not LXC's business to manage network like that, but 
> looking how good is the project seems to be, I'm really surprised there 
> is not any solutions that comes with LXC to integrate those kind of 
> (basics) security. 
> 
> One container=>One MAC address=> One or more specifics IP address. 
> 
> Even if the goal of linuxcontainers is to be "vendor neutral" I think 
> there something missing here to be more "user friendly" and "out of the 
> box" . I think most of LXC user will have more than one containers to 
> deploy and it may be the best to provide easy integrated solution 
> regarding this specific 
> aspect of networking. 
> 
> I Have been using OpenVswitch (Open Flow) to add such security but from 
> what I can tell, this is not documented and self learning on those 
> technology take a long time. You can see the archive here 
> : https://www.mail-archive.com/lxc-users@lists.linuxcontainers.org/msg03609.html 
> 
> (?) What should the position be when you need to deploy lots of LXC 
> containers and give root access to the container ? 
> The question doesn't happen with unprivileged containers, looks like 
> there is no way to change network info, but this is not the solution if 
> you wanna run privileged containers and stay safe. 
> 
> - System security stand point 
> 
> Dmesg 
> As a simple and quick test, dmesg information of the HOST are in the 
> unprivileged container. 
> (?) Maybe there is a technical limit about that ? 
> 
> (?) What can be the best way to understand more how build are 
> unprivileged container and what can be done to help . Is this only about 
> Cgroups? Apparmor ? both? 
> Maybe have more information about the interaction between security parts 
> will be a nice to have :) 
> 
> 
> - Maturity of the solution with unprivileged containers. 
> I know there is a lot of things going on with this kind of containers. I 
> would like to know more about the perspective and the goal . 
> 
> (?) what unprivileged containers are made for ? 
> (?) Is this only to prevent security issues from any process running out 
> of an LXC (privileged) container ? 
> Or is it more to give the opportunity to no-root user to execute 
> LXC containers ? 
> 
> (?) Let's say it's for security purpose only in case of a process 
> running out of a container, how big is the possibility that happen ? 
> from one to ten ? 
> 
> Story of my first experience with unprivileged container : 
> 
> I'm running debian jessie to try my first unprivileged container. 
> lxc-create -n debian8 -t downlowd -- -d debian -r jessie -a amd64 
> 
> First thing I wanna do, install sshd daemon . No problem. 
> Second thing, starting sshd after install : service sshd restart . 
> Result: [sshd] <defunct> 
> Looks like there is something weird... 
> service sshd start : Result : Process running 
> But wait, not able to connect . :/ 
> I had to : sed -ri 's/^session\s+required\s+pam_loginuid.so$/session 
> optional pam_loginuid.so/ ' /etc/pam.d/sshd 
> 
> (?) Now I can connect but "pam_loginuid" cannot be used at all ? 
> 
> Then , what can I see, every SSHD connection failure show a new sshd 
> <defunct> process 
> 
> ps auxf|grep sshd|grep defunct|wc -l 
> 503 
> 
> (?) any idea or know problem ? Is something on my configuration ? 
> 
> It happen with others process like : 
> [chef-client] <defunct> 
> [bash] <defunct> 
> [sshd] <defunct> 
> 
> I just wanna understand if those issue are definitively a miss 
> configuration on my side or that can be easily explained ? :( 
> 
> - init.d with unprivileged 
> (?) Maybe because I have a lack of knowledge in this area, but why 
> there is nothing starting up automatically from a unprivileged container ? 
> (?) What can be used as a workaround ? 
> 
> 
> Well, beside those points, I can get an unprivileged container running 
> httpd, php5, mysql :) 
> Pretty quick and easy . Templates are a very good thing to use . (thx) 
> 
> Now I'm looking forward to read your experience and share some technical 
> or unprivileged containers story ! 
> 
> Cheers, 
> 
> 
> Cordialement, 
> 
> Benoît Georgelin 
> Afin de contribuer au respect de l'environnement, merci de n'imprimer ce 
> mail qu'en cas de nécessité 
> 
> 
> 
> _______________________________________________ 
> lxc-users mailing list 
> lxc-users at lists.linuxcontainers.org 
> http://lists.linuxcontainers.org/listinfo/lxc-users 
> 
_______________________________________________ 
lxc-users mailing list 
lxc-users at lists.linuxcontainers.org 
http://lists.linuxcontainers.org/listinfo/lxc-users 





-- 
Luis M. Ibarra 

_______________________________________________ 
lxc-users mailing list 
lxc-users at lists.linuxcontainers.org 
http://lists.linuxcontainers.org/listinfo/lxc-users 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150818/76dc7a0c/attachment.html>


More information about the lxc-users mailing list