[lxc-users] How to bind-mount host filesystem inside a container and change mount options
Leonid Isaev
leonid.isaev at jila.colorado.edu
Wed Sep 16 23:02:28 UTC 2015
Hi,
On Tue, Sep 15, 2015 at 10:36:02PM +0000, Serge Hallyn wrote:
> Quoting Leonid Isaev (leonid.isaev at jila.colorado.edu):
> > Are there any security implications of doing this if a container is priveleged
> > and CONFIG_USER_NS is not set (because lxc-start runs as root)?
>
> Running a container not in a user-namespace does have huge security
> implications. But you can, as root, still start a container that is
> in a user namespace. Just make sure that root has the needed subuid
> allcoations in /etc/subuid and /etc/subgid.
>
> So you could start the container as root from a script like
>
> #!/bin/bash
> # runcontainer.sh
> mount -o remount,exec,bind /export/home
> lxc-start -n $1
>
> where you start that by doing
>
> sudo lxc-unshare -s MOUNT -- runcontainer.sh mycontainer
>
> That way root on the host remounts /export/home executable only for
> the container, and the container gets an executable /export/home,
> so you can keep the container in a user namespace.
Thanks for your advice :) However, Archlinux default kernel does not enable
userns yet, so within a default distribution containers are not a security
device but simply a useful way to partition servers...
My question was whether not allowing to remount the FS exec has any meaning on
kernels w/o config_userns (or when a container runs not inside a user
namespace)? Or IOW, are there any security caveats (besides allowing execution
obviously) of doing 'mount -o remount,exec' as root from inside the container?
Thanks again,
L.
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
More information about the lxc-users
mailing list