[lxc-users] Security gain: Start Unpriviledged container as root or as regular user?

Sun Aug 18 10:36:51 UTC 2019

Hi,

i use currently unprivileged lxc containers on debian buster started as
root. I use for every container a separate set of uid/gids.

If i start the container from root, the lxc-monitor is run by root on
the host. Init is on uid 100000 (seen from host).

If i start it as a regular user, lxc-monitor is run by uid 1000 and init
in the container is at 101000 (seen from host).

The containers are apache, postgres and postfix/courier. There are no
other users able to login via ssh. postgres is just the backend for the
other containers.

lxc-ls shows:
lxc-ls --fancy
NAME     STATE   AUTOSTART GROUPS IPV4            IPV6 UNPRIVILEGED
mail     RUNNING 1         -      192.xxx.xxx.xxx -    true
postgres RUNNING 1         -      192.xxx.xxx.xxx -    true
www      RUNNING 1         -      192.xxx.xxx.xxx -    true

Debian Buster uses LXC 3.1.0

Is in this setup any security gained, if the containers are started as a
separate user different that root on the host?

I would prefer to start them as root from /var/lib/lxc as a simple
lxc.auto.start = 1 let them be started at system boot.

Greetings

Georg