[lxc-users] Docker in unprivileged LXC?
Fajar A. Nugraha
list at fajar.net
Wed Nov 20 13:11:08 UTC 2019
On Wed, Nov 20, 2019 at 6:41 PM Dirk Geschke <dirk at lug-erding.de> wrote:
>
> Hi Oliver,
>
> > afaik:
> >
> > security.nesting: "true"
> >
> > makes the container automatically privileged...
no. it still runs using mapped unprivileged u/gid, but allows
additional capabilities (e.g. overlay mounts, etc)
# cat /proc/1/uid_map
0 1000000 1000000000
# docker run --rm -it hello-world
...
Hello from Docker!
This message shows that your installation appears to be working correctly.
...
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
...
>
> half-and-half, I guess. But I asked for LXC not LXD...
I don't use lxc anymore (only lxd now), but you might be able to use
https://github.com/lxc/lxc/blob/stable-3.0/config/templates/nesting.conf.in
you can either include it (there should be an example from
ubuntu/download template), or write the configs directly on your
container config.
> However, if I start the container half unprivileged (starting
> as root but using uid/gid mapping) it seems to work. So probably
> that is the way to go here...
>
> Not ideally, but more secure then pure docker on the hardware...
Were you able to start the container? AFAIK you shouldn't be able to.
It's good if you can.
Another note from my experience, if you use zfs as container storage,
you need additional configuration for performance as docker will use
vfs driver by default instead of overlay/aufs. ext4/xfs/btrfs should
be fine as-is though.
--
Fajar
More information about the lxc-users
mailing list