[lxc-users] Nested container in unpriviledged container
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jun 15 15:17:01 UTC 2015
Quoting Xavier Gendre (gendre.reivax at gmail.com):
> Hi,
>
> i wanted to run a container in an unpriviledged container and i am
> glad to succes in doing it. The point is that i am not sure if what
> i did is acceptable from the security point of view or not...
>
> Here are the steps i did:
>
> 1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
>
> 2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in
> its config file:
>
> lxc.mount.auto = cgroup:mixed
>
> 3) create a basic container called 'p1' with the download template
> as root in 'test'.
>
> 4) in the host, i chown the cgroup hierarchy of 'test' to give it to
> the user id mapped to the id 0 in 'test' (this id is 362144 in my
> example),
>
> for T in `ls /sys/fs/cgroup`; do
> chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
> done
>
> 5) succesfully start the container 'p1' in 'test' :-)
>
> I am not an expert with cgroups and i am wondering if i am letting
> the devil enters in my home with that...
>
> So, what is your opinion: is it a possible security break or is it safe?
Two things to make this safer
1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe
its 'tasks' and 'cgroup.procs' files. That way the container can create
sub-cgroups but cannot raise its own limits.
2. Only do this for the controllers you definately need. Freezer and
memory for example. Then set lxc.cgroup.use in /etc/lxc/lxc.conf
(see lxc.system.conf(5)).
-serge
More information about the lxc-users
mailing list