[lxc-users] Nested container in unpriviledged container
Xavier Gendre
gendre.reivax at gmail.com
Sat Jun 13 10:42:36 UTC 2015
Hi,
i wanted to run a container in an unpriviledged container and i am glad
to succes in doing it. The point is that i am not sure if what i did is
acceptable from the security point of view or not...
Here are the steps i did:
1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in its
config file:
lxc.mount.auto = cgroup:mixed
3) create a basic container called 'p1' with the download template as
root in 'test'.
4) in the host, i chown the cgroup hierarchy of 'test' to give it to the
user id mapped to the id 0 in 'test' (this id is 362144 in my example),
for T in `ls /sys/fs/cgroup`; do
chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
done
5) succesfully start the container 'p1' in 'test' :-)
I am not an expert with cgroups and i am wondering if i am letting the
devil enters in my home with that...
So, what is your opinion: is it a possible security break or is it safe?
Thanks,
Xavier
More information about the lxc-users
mailing list