[lxc-users] Nested container in unpriviledged container

Xavier Gendre gendre.reivax at gmail.com
Sat Jun 13 10:42:36 UTC 2015


Hi,

i wanted to run a container in an unpriviledged container and i am glad 
to succes in doing it. The point is that i am not sure if what i did is 
acceptable from the security point of view or not...

Here are the steps i did:

1) create an unpriviledged container (lxc.id_map, ...) called 'test'.

2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in its 
config file:

lxc.mount.auto = cgroup:mixed

3) create a basic container called 'p1' with the download template as 
root in 'test'.

4) in the host, i chown the cgroup hierarchy of 'test' to give it to the 
user id mapped to the id 0 in 'test' (this id is 362144 in my example),

for T in `ls /sys/fs/cgroup`; do
   chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
done

5) succesfully start the container 'p1' in 'test' :-)

I am not an expert with cgroups and i am wondering if i am letting the 
devil enters in my home with that...

So, what is your opinion: is it a possible security break or is it safe?

Thanks,
Xavier


More information about the lxc-users mailing list