[lxc-users] Nested container in unpriviledged container

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jun 18 04:35:31 UTC 2015 

Quoting Xavier Gendre (gendre.reivax at gmail.com):
> Le 15/06/2015 17:17, Serge Hallyn a écrit :
> >Quoting Xavier Gendre (gendre.reivax at gmail.com):
> >>Hi,
> >>
> >>i wanted to run a container in an unpriviledged container and i am
> >>glad to succes in doing it. The point is that i am not sure if what
> >>i did is acceptable from the security point of view or not...
> >>
> >>Here are the steps i did:
> >>
> >>1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
> >>
> >>2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in
> >>its config file:
> >>
> >>lxc.mount.auto = cgroup:mixed
> >>
> >>3) create a basic container called 'p1' with the download template
> >>as root in 'test'.
> >>
> >>4) in the host, i chown the cgroup hierarchy of 'test' to give it to
> >>the user id mapped to the id 0 in 'test' (this id is 362144 in my
> >>example),
> >>
> >>for T in `ls /sys/fs/cgroup`; do
> >>   chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
> >>done
> >>
> >>5) succesfully start the container 'p1' in 'test' :-)
> >>
> >>I am not an expert with cgroups and i am wondering if i am letting
> >>the devil enters in my home with that...
> >>
> >>So, what is your opinion: is it a possible security break or is it safe?
> >
> >Two things to make this safer
> >
> >1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe
> >its 'tasks' and 'cgroup.procs' files.  That way the container can create
> >sub-cgroups but cannot raise its own limits.
> >
> >2. Only do this for the controllers you definately need.  Freezer and
> >memory for example.  Then set lxc.cgroup.use in /etc/lxc/lxc.conf
> >(see lxc.system.conf(5)).
> >
> >-serge
> 
> Hello Serge,
> 
> thank you for your advices. Indeed, chowning only the directories is
> sufficient to start the nested container. I did not have to chown
> 'tasks' and 'cgroup.procs' in order to simply start it.
> 
> Your second point is more obscur for me... For now, i have to chown
> all the controllers:
> 
> 'blkio' 'cpu,cpuacct' 'cpuset' 'devices' 'freezer'
> 'net_cls,net_prio' 'perf_event'
> 
> When you say 'need', it applies to the container 'test' or to 'p1'
> in my example?

The child one, p1.  With new enough lxc you should be able to
use only freezer, setting that as lxc.cgroup.use in the
system lxc.conf.

> If i plan to allow quite general containers to run in
> my unpriviledged container, all the controllers should be chowned or
> is there some that are definitely not needed?

General containers are fine, it's only if you need the nested containers
to be more finely restricted, i.e. if you simply must be able to
allocated only a subset of test1's cpus or memory.

More information about the lxc-users mailing list