[lxc-users] Convert LXC Guests from privileged to unprivileged

Thu Dec 3 05:40:51 UTC 2015

On 12/03/2015 12:40 PM, Mark Chaney wrote:
> I have an Ubuntu Trusty system with about 10 linux containers on it that
> were created by root using the normal "lxc-create -t ubuntu -n git".
> Nothing custom was setup for these guests that I can think of besides
> the network bridges and a few are mounting a directory from the host
> like so "lxc.mount.entry = /backups/r1soft backups none bind.rw 0.0". I
> do see that some of the older containers that were created do have the
> following in their containername/config files:
>
> lxc.cgroup.devices.deny = alxc.cgroup.devices.allow = c *:* m
> lxc.cgroup.devices.allow = b *:* m
> lxc.cgroup.devices.allow = c 1:3 rwm
> lxc.cgroup.devices.allow = c 1:5 rwm
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:0 rwm
> lxc.cgroup.devices.allow = c 1:9 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> lxc.cgroup.devices.allow = c 254:0 rwm
> lxc.cgroup.devices.allow = c 10:229 rwm
> lxc.cgroup.devices.allow = c 10:200 rwm
> lxc.cgroup.devices.allow = c 1:7 rwm
> lxc.cgroup.devices.allow = c 10:228 rwm
> lxc.cgroup.devices.allow = c 10:232 rwm
>
> But a majority do not and I am not aware of any special cgroup settings
> that I might have setup.
>
> With all of that said, I am wanting to better isolate these containers
> from the host and was told that doing unprivileged was the way to go. A
> couple quick questions:
>
> 1) With all the information posted above, do you foresee any issues with
> them running as unprivileged?
> 2) How can I easily convert them to unprivileged containers (I have
> installed LXD, but done nothing else)

After setting up approriate /etc/{subuid,subgid}, I've been using 
uidmapshift from 
http://bazaar.launchpad.net/%7Eserge-hallyn/+junk/nsexec/files on the 
stopped container. Then move the container directory from out of 
/var/lib/lxc into ~/.local/share/lxc/. There are some ownerships & 
permissions to change for the container directory and its config file; 
also the config file's lxc.rootfs entry need updating to the new 
location. Seems to work OK as unprivileged after that.

chris

> 3) How do i ensure that future containers are only created as
> unprivileged containers?
> 4) Will this new "isolation" prevent host kernel notices, etc, from
> leaking into the containers syslog? Really makes it hard to troubleshoot
> things when entries are unrelated to the container and more related to
> the host or another container.
>
> Thanks so much for your time and help on this. I truly appreciate it.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users