[lxc-users] Nested container in unpriviledged container

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jun 15 15:17:01 UTC 2015


Quoting Xavier Gendre (gendre.reivax at gmail.com):
> Hi,
> 
> i wanted to run a container in an unpriviledged container and i am
> glad to succes in doing it. The point is that i am not sure if what
> i did is acceptable from the security point of view or not...
> 
> Here are the steps i did:
> 
> 1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
> 
> 2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in
> its config file:
> 
> lxc.mount.auto = cgroup:mixed
> 
> 3) create a basic container called 'p1' with the download template
> as root in 'test'.
> 
> 4) in the host, i chown the cgroup hierarchy of 'test' to give it to
> the user id mapped to the id 0 in 'test' (this id is 362144 in my
> example),
> 
> for T in `ls /sys/fs/cgroup`; do
>   chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
> done
> 
> 5) succesfully start the container 'p1' in 'test' :-)
> 
> I am not an expert with cgroups and i am wondering if i am letting
> the devil enters in my home with that...
> 
> So, what is your opinion: is it a possible security break or is it safe?

Two things to make this safer

1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe
its 'tasks' and 'cgroup.procs' files.  That way the container can create
sub-cgroups but cannot raise its own limits.

2. Only do this for the controllers you definately need.  Freezer and
memory for example.  Then set lxc.cgroup.use in /etc/lxc/lxc.conf
(see lxc.system.conf(5)).

-serge


More information about the lxc-users mailing list