[lxc-users] More secure container

Fajar A. Nugraha list at fajar.net
Wed May 10 07:10:42 UTC 2017


On Wed, May 10, 2017 at 1:33 PM, T.C 吳天健 <tcwu2005 at gmail.com> wrote:

> Fajar and Andrey,
>
> I run lxc-1.0 on embedded system and I don't have lxd on that platform.
> (i.e. I cross-compile lxc-1.0 from scratch no prebuild package available).
> And yes I run container with root privilege .
>

I highly suggest you invest some time to port lxd there. It'd make some
things a lot easier.



>
> Can I have your mentioned features "use separate u/gid range for each
> container" and "limits which device nodes (block and char) allowed in the
> container" without existence of lxd?
>
>
Without LXD? Best docs I can point you to are:
- https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html
(for example, find "lxc.cgroup.devices.allow" and "UID MAPPINGS" there)
- https://github.com/lxc/lxc/tree/master/doc
- https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
- https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv

A little note about the last two, they guide you to create user-owned
unpriv containers. It's usually MUCH easier to manage (including setting
autostart behavior) root-owned unpriv containers (which is basically what
lxd does). root-owned unpriv containers are similar to privileged
container, except that:
- it has uid mappings configurations
- the files in rootfs has its u/gid shifted (e.g. with fuidshift)


Again, the process is MUCH simpler if you have lxd (e.g. look for
"security.idmap.isolated" in
https://github.com/lxc/lxd/blob/master/doc/containers.md)

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170510/ad7f4572/attachment-0001.html>


More information about the lxc-users mailing list