[lxc-users] Nested container in unpriviledged container

Xavier Gendre gendre.reivax at gmail.com
Fri Jun 19 16:44:14 UTC 2015


Le 18/06/2015 06:35, Serge Hallyn a écrit :
> Quoting Xavier Gendre (gendre.reivax at gmail.com):
>> Le 15/06/2015 17:17, Serge Hallyn a écrit :
>>> Quoting Xavier Gendre (gendre.reivax at gmail.com):
>>>> Hi,
>>>>
>>>> i wanted to run a container in an unpriviledged container and i am
>>>> glad to succes in doing it. The point is that i am not sure if what
>>>> i did is acceptable from the security point of view or not...
>>>>
>>>> Here are the steps i did:
>>>>
>>>> 1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
>>>>
>>>> 2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in
>>>> its config file:
>>>>
>>>> lxc.mount.auto = cgroup:mixed
>>>>
>>>> 3) create a basic container called 'p1' with the download template
>>>> as root in 'test'.
>>>>
>>>> 4) in the host, i chown the cgroup hierarchy of 'test' to give it to
>>>> the user id mapped to the id 0 in 'test' (this id is 362144 in my
>>>> example),
>>>>
>>>> for T in `ls /sys/fs/cgroup`; do
>>>>    chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
>>>> done
>>>>
>>>> 5) succesfully start the container 'p1' in 'test' :-)
>>>>
>>>> I am not an expert with cgroups and i am wondering if i am letting
>>>> the devil enters in my home with that...
>>>>
>>>> So, what is your opinion: is it a possible security break or is it safe?
>>>
>>> Two things to make this safer
>>>
>>> 1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe
>>> its 'tasks' and 'cgroup.procs' files.  That way the container can create
>>> sub-cgroups but cannot raise its own limits.
>>>
>>> 2. Only do this for the controllers you definately need.  Freezer and
>>> memory for example.  Then set lxc.cgroup.use in /etc/lxc/lxc.conf
>>> (see lxc.system.conf(5)).
>>>
>>> -serge
>>
>> Hello Serge,
>>
>> thank you for your advices. Indeed, chowning only the directories is
>> sufficient to start the nested container. I did not have to chown
>> 'tasks' and 'cgroup.procs' in order to simply start it.
>>
>> Your second point is more obscur for me... For now, i have to chown
>> all the controllers:
>>
>> 'blkio' 'cpu,cpuacct' 'cpuset' 'devices' 'freezer'
>> 'net_cls,net_prio' 'perf_event'
>>
>> When you say 'need', it applies to the container 'test' or to 'p1'
>> in my example?
>
> The child one, p1.  With new enough lxc you should be able to
> use only freezer, setting that as lxc.cgroup.use in the
> system lxc.conf.

Arf, for now, i am still working with Debian Jessie and LXC 1.0.7. I 
will be able to try your suggestions when more recent version of LXC 
will appear in Debian repositories. Thus, i continue to chown my whole 
list of controllers :-°

>> If i plan to allow quite general containers to run in
>> my unpriviledged container, all the controllers should be chowned or
>> is there some that are definitely not needed?
>
> General containers are fine, it's only if you need the nested containers
> to be more finely restricted, i.e. if you simply must be able to
> allocated only a subset of test1's cpus or memory.

Ok, thanks for this example, it is clearer for me now.

Thank you for these explanations,
Xavier


More information about the lxc-users mailing list