[lxc-users] Running unprotected system container

Koehler, Yannick yannick.koehler at hpe.com
Sat Jun 13 02:41:20 UTC 2020 

Hi,

I am in a situation where we desire to run our old OS environment inside Ubuntu Core.  So far we have identified LXD as being a candidate to enable us to run our past Linux OS environment within the new one.

At this time our goal is to apply the least amount of modification to our existing OS in order to test and validate such an approach.

I, therefore, need to run an LXC container with pretty much zero security, as to allow the old OS to loads kernel modules, access /proc, /sys, etc.

I was able to disable AppArmor and remove any capability drop using

printf "lxc.cap.keep = ''\nlxc.apparmor.profile = unconfined" | sudo lxd.lxc config set c1raw.lxc -
sudo lxd.lxc config set c1 security.privileged true

Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I obtained an error as the profile 'none'  was not found by the seccomp profile reader.  I am wondering if this is a problem with lxc itself or with UbuntuCore not providing a definition of what a seccomp "none" profile would be.

I am taking the information as to disable seccomp from this page https://ubuntu.com/server/docs/containers-lxd

Seccomp

All containers are confined by a default seccomp policy. This policy prevents some dangerous actions such as forced umounts, kernel module loading and unloading, kexec, and the open_by_handle_at system call. The seccomp configuration cannot be modified, however a completely different seccomp policy – or none – can be requested using raw.lxc (see below).

Another issue I am facing is that I am getting lots of permission denied/read-only fs for /proc and /sys, I was intending to go play with the option lxc.mount.auto, setting it to a value such as "proc:rw sys:rw" do I need to put more into that config item as to get the container to see the system as close as possible as if it was not running inside a system container?

Finally, a problem I am seeing is that whenever I try to launch a shell within my image (which is RUNNING), I get permission denied on any binary I tried to run

  sudo lxd.lxc exec c1 /bin/ash
  ~ # ls
  ls: permission denied

Yet, ls is a link to busybox and so is /sbin/init which was successfully executed as to get to the RUNNING state.  I can run ubuntu and execute a shell in it, so I am guessing this has to do with configuration.  My image is a tarball I constructed with --owner=0 --group=0 as to enforce all files to be using UID/GID = 0.

Any help on any of those would be appreciated, again, my goal here is to ease a transition and I do not need LXC for the security aspect, but more for the system container aspect and being able to run other environments within it.

--
Yannick Koehler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20200613/3ceac4ca/attachment.htm>

More information about the lxc-users mailing list