[lxc-users] More secure container

T.C 吳天健 tcwu2005 at gmail.com
Wed May 10 07:20:04 UTC 2017


Great thanks to Fajar, Andrey, Jared and all of you.

Usually on embedded system our porting/upgrading strategy is as prudent as
possible.  My previous survey showing that GOLANG is either undone or not
popular on embedded. I will survey docs you mentioned and evaluate porting
GOLANG and lxd then.

TC WU

2017-05-10 15:10 GMT+08:00 Fajar A. Nugraha <list at fajar.net>:

> On Wed, May 10, 2017 at 1:33 PM, T.C 吳天健 <tcwu2005 at gmail.com> wrote:
>
>> Fajar and Andrey,
>>
>> I run lxc-1.0 on embedded system and I don't have lxd on that platform.
>> (i.e. I cross-compile lxc-1.0 from scratch no prebuild package available).
>> And yes I run container with root privilege .
>>
>
> I highly suggest you invest some time to port lxd there. It'd make some
> things a lot easier.
>
>
>
>>
>> Can I have your mentioned features "use separate u/gid range for each
>> container" and "limits which device nodes (block and char) allowed in the
>> container" without existence of lxd?
>>
>>
> Without LXD? Best docs I can point you to are:
> - https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html
> (for example, find "lxc.cgroup.devices.allow" and "UID MAPPINGS" there)
> - https://github.com/lxc/lxc/tree/master/doc
> - https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
> - https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv
>
> A little note about the last two, they guide you to create user-owned
> unpriv containers. It's usually MUCH easier to manage (including setting
> autostart behavior) root-owned unpriv containers (which is basically what
> lxd does). root-owned unpriv containers are similar to privileged
> container, except that:
> - it has uid mappings configurations
> - the files in rootfs has its u/gid shifted (e.g. with fuidshift)
>
>
> Again, the process is MUCH simpler if you have lxd (e.g. look for
> "security.idmap.isolated" in https://github.com/lxc/lxd/
> blob/master/doc/containers.md)
>
> --
> Fajar
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170510/b172bbf6/attachment.html>


More information about the lxc-users mailing list