[lxc-users] Running unprotected system container
Fajar A. Nugraha
list at fajar.net
Sat Jun 13 04:53:58 UTC 2020
On Sat, Jun 13, 2020 at 9:41 AM Koehler, Yannick
<yannick.koehler at hpe.com> wrote:
>
> Hi,
>
> I am in a situation where we desire to run our old OS environment inside Ubuntu Core. So far we have identified LXD as being a candidate to enable us to run our past Linux OS environment within the new one.
>
> At this time our goal is to apply the least amount of modification to our existing OS in order to test and validate such an approach.
>
> I, therefore, need to run an LXC container with pretty much zero security, as to allow the old OS to loads kernel modules, access /proc, /sys, etc.
> Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I obtained an error as the profile 'none' was not found by the seccomp profile reader. I am wondering if this is a problem with lxc itself or with UbuntuCore not providing a definition of what a seccomp "none" profile would be.
Start from https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4
Then create something like
/var/snap/lxd/common/lxd/extra/unrestricted.conf
------------------------------------------------
lxc.cap.drop =
lxc.apparmor.profile = unconfined
lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
lxc.cgroup.devices.allow = c *:* rwm
lxc.cgroup.devices.allow = b *:* rwm
lxc.seccomp.profile = /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf
/var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf
--------------------------------------------------------
2
blacklist
# v2 allows comments after the second line, with '#' in first column,
# blacklist will allow syscalls by default
Then put it on your lxd config
config:
raw.lxc: lxc.include=/var/snap/lxd/common/lxd/extra/unrestricted.conf
Totally unsupported, you're on your own if something bad happens, etc.
I was able to run mknod, "losetup -a", mount, and modprobe from my
container, running lxd from snap under ubuntu 20.04 host (might be
relevant for you since ubuntu core also uses lxd from snap)
--
Fajar
More information about the lxc-users
mailing list