[lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jan 11 22:36:13 UTC 2016
Quoting Carlos Alberto Lopez Perez (clopez at igalia.com):
> On 11/01/16 23:13, Serge Hallyn wrote:
> > Quoting david.andel at bli.uzh.ch (david.andel at bli.uzh.ch):
> >> Hmm, this is interesting.
> >> I am runnung my container from the unprivileged user 'lxduser' and yet:
> >>
> >> root at qumind:~# ps -ef | grep '[l]xc monitor'
> >> root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] /var/lib/lxd/containers pgroonga
> >>
> >> What is wrong here?
> >
> > You're using lxd. Lxd runs as root. You are not starting the
> > containers as 'lxduser' - you are making requests as 'lxduser' for
> > the root-owned process 'lxd' to start the containers.
>
> I understood that LXD uses unprivileged containers by default...
>
> Does this mean that LXD is starting the unprivileged containers as root?
yes. It does many things which an unprivileged user cannot do, so it has
to run as root.
The lxc-attach weakness I mentioned does not apply to 'lxc exec', because
lxd interposes a pty between your console and the container's.
More information about the lxc-users
mailing list