[lxc-users] More secure container
Fajar A. Nugraha
list at fajar.net
Wed May 10 07:10:42 UTC 2017
On Wed, May 10, 2017 at 1:33 PM, T.C 吳天健 <tcwu2005 at gmail.com> wrote:
> Fajar and Andrey,
> I run lxc-1.0 on embedded system and I don't have lxd on that platform.
> (i.e. I cross-compile lxc-1.0 from scratch no prebuild package available).
> And yes I run container with root privilege .
I highly suggest you invest some time to port lxd there. It'd make some
things a lot easier.
> Can I have your mentioned features "use separate u/gid range for each
> container" and "limits which device nodes (block and char) allowed in the
> container" without existence of lxd?
Without LXD? Best docs I can point you to are:
(for example, find "lxc.cgroup.devices.allow" and "UID MAPPINGS" there)
A little note about the last two, they guide you to create user-owned
unpriv containers. It's usually MUCH easier to manage (including setting
autostart behavior) root-owned unpriv containers (which is basically what
lxd does). root-owned unpriv containers are similar to privileged
container, except that:
- it has uid mappings configurations
- the files in rootfs has its u/gid shifted (e.g. with fuidshift)
Again, the process is MUCH simpler if you have lxd (e.g. look for
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the lxc-users