[lxc-users] Security gain: Start Unpriviledged container as root or as regular user?

Fajar A. Nugraha list at fajar.net
Mon Aug 19 07:12:05 UTC 2019

On Sun, Aug 18, 2019 at 5:36 PM Georg Gast <georg at schorsch-tech.de> wrote:

> Hi,
> i use currently unprivileged lxc containers on debian buster started as
> root. I use for every container a separate set of uid/gids.

> Debian Buster uses LXC 3.1.0
> Is in this setup any security gained, if the containers are started as a
> separate user different that root on the host?

In general, yes. It should at least protect you from possible security
issues in lxc-monitor.

However even if you do that, IIRC some processes still need to run as root
(or with suid binary), e.g. lxcfs and lxc-user-nic. So you'd still be
vulnerable if there are security issues in those processes.

> I would prefer to start them as root from /var/lib/lxc as a simple
> lxc.auto.start = 1 let them be started at system boot.
Generally you'd choose a mix between acceptable levels of ease -
performance - security.

Personally, for your usecase, instead of using lxc directly, I recommend
you install snapd (and lxd from snap package) or build lxd yourself (if you
don't want to use snap). Use suitable storage backend (e.g. zfs/btrfs/lvm).
Then enable security.idmap.isolated. This way you still get separate u/gids
per container while enabling automation for some container administration
process (e.g assigning u/gids, autostart, copying/backing up containers,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190819/8ba5f652/attachment.html>

More information about the lxc-users mailing list