[lxc-users] Is there any advantage to use separate subuid and subguid for each container?

John Siu john.sd.siu at gmail.com
Mon Feb 15 07:20:30 UTC 2016


I am thinking more about container accessing another container, instead of container accessing the host. So it is like drilling a hole on the wall to next door, instead of drilling the floor to access the lobby. Or are they actually equivalent?

John

> On Feb 15, 2016, at 01:01, Fajar A. Nugraha <list at fajar.net> wrote:
> 
> On Mon, Feb 15, 2016 at 11:56 AM, John Siu <john.sd.siu at gmail.com <mailto:john.sd.siu at gmail.com>> wrote:
> Is there any advantage to use separate subuid and subguid for each container?
> 
> For example, when multiple unprivileged containers with the same subuid 100000, ps will show something like the following:
> 
> One cannot tell which process is owned by which container.
> 
> 
> ps -ea -O cgroup:50
> 
>  
> Additionally, using the same subuid, is there any concern about one container gaining access to the other containers? Or is this not a problem at all?
> 
> 
> in theory, yes, AFAIK that is a possibility. If somehow a process manage to break out of the container, it might be able to do stuff in the host as an unpriviliged user.
> 
> I haven't seen any attacks like that on recent systems though. In particular, with apparmor and lxcfs enabled, you should get an additional layer of security. So personally I find it's still acceptable for multiple unpriv containers to share the same subuid.
> 
> -- 
> Fajar
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160215/72407c03/attachment-0001.html>


More information about the lxc-users mailing list