[lxc-users] Separate sub(g)uid for each container?
mleuker
michael at leuker.me
Wed Feb 8 10:42:27 UTC 2017
I'm referencing John Siu's https://lists.linuxcontainers.org/pipermail/lxc-users/2016-February/010960.html which was never answered conclusively. My setup currently separates each unprivileged container with a different subuid / subguid range, e.g.
lxc1 1000000 65536
lxc2 1100000 65536
lxc3 1200000 65536
...
The question is whether there is any gain in security doing this or if running all containers with the same sub(g)uid offers enough protection with apparmor and lxcfs are enabled.
What for example happens if one of the containers is taken over? We know that the host is protected well enough since gaining root in the container doesn't help the attacker do much on the host. But could he or she use the breach as an attack vector against other containers *specifically* because they are running with the same sub(g)uid set?
More information about the lxc-users
mailing list