[lxc-users] Owner of an unprivileged container

[Xavier Gendre]

Hello,

I run several containers on my server and, following the security 
advices, they are unprivileged. Each container belongs to one user and I 
am asking myself if this is a "good practice"...

Thus my question is if there are some differences between:
- an unprivileged container owned by root with 'lxc.id_map' in its 
config file to make it unprivileged,
- a similar unprivileged container but owned by a classical user.

 From the practical point of view, I have to admit that a container 
owned by root is easier to handle but, from the security point of view, 
is it more safe to give the unprivileged container to an user than to 
root? Or is the namespace sufficient to avoid escape from an 
unprivileged container that belongs to root?

What are your "good practices" in the matter? All belong to root? All 
belong to one devoted user? Or, as what I do, one user for one container?

Thanks,
Xavier