[lxc-users] Separate sub(g)uid for each container?

mleuker michael at leuker.me
Wed Feb 8 10:42:27 UTC 2017


I'm referencing John Siu's https://lists.linuxcontainers.org/pipermail/lxc-users/2016-February/010960.html which was never answered conclusively. My setup currently separates each unprivileged container with a different subuid / subguid range, e.g.

lxc1    1000000 65536
lxc2    1100000 65536
lxc3    1200000 65536
...

The question is whether there is any gain in security doing this or if running all containers with the same sub(g)uid offers enough protection with apparmor and lxcfs are enabled.

What for example happens if one of the containers is taken over? We know that the host is protected well enough since gaining root in the container doesn't help the attacker do much on the host. But could he or she use the breach as an attack vector against other containers *specifically* because they are running with the same sub(g)uid set?


More information about the lxc-users mailing list