[lxc-users] Running unprotected system container
Koehler, Yannick
yannick.koehler at hpe.com
Mon Jun 15 12:41:20 UTC 2020
First, thanks for the detailed and fast response, very appreciated.
As indicated, the code that will run inside that container is our previous OS and if it does bad things, well, that means it was doing so previously so not a "bigger" issue than it was before. Since if that works, we will move more towards snap we will then have a better security system (AppArmor, SecComp, better app separation, etc) in place to remove trust for each app and get rid eventually of that container which purpose as indicated is to ease the transition and get some of the features we want from Ubuntu Core in an early release, if we do get this to work.
--
Yannick Koehler
________________________________
From: lxc-users <lxc-users-bounces at lists.linuxcontainers.org> on behalf of Fajar A. Nugraha <list at fajar.net>
Sent: June 13, 2020 12:53 AM
To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
Subject: Re: [lxc-users] Running unprotected system container
On Sat, Jun 13, 2020 at 9:41 AM Koehler, Yannick
<yannick.koehler at hpe.com> wrote:
>
> Hi,
>
> I am in a situation where we desire to run our old OS environment inside Ubuntu Core. So far we have identified LXD as being a candidate to enable us to run our past Linux OS environment within the new one.
>
> At this time our goal is to apply the least amount of modification to our existing OS in order to test and validate such an approach.
>
> I, therefore, need to run an LXC container with pretty much zero security, as to allow the old OS to loads kernel modules, access /proc, /sys, etc.
> Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I obtained an error as the profile 'none' was not found by the seccomp profile reader. I am wondering if this is a problem with lxc itself or with UbuntuCore not providing a definition of what a seccomp "none" profile would be.
Start from https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4
Then create something like
/var/snap/lxd/common/lxd/extra/unrestricted.conf
------------------------------------------------
lxc.cap.drop =
lxc.apparmor.profile = unconfined
lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
lxc.cgroup.devices.allow = c *:* rwm
lxc.cgroup.devices.allow = b *:* rwm
lxc.seccomp.profile = /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf
/var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf
--------------------------------------------------------
2
blacklist
# v2 allows comments after the second line, with '#' in first column,
# blacklist will allow syscalls by default
Then put it on your lxd config
config:
raw.lxc: lxc.include=/var/snap/lxd/common/lxd/extra/unrestricted.conf
Totally unsupported, you're on your own if something bad happens, etc.
I was able to run mknod, "losetup -a", mount, and modprobe from my
container, running lxd from snap under ubuntu 20.04 host (might be
relevant for you since ubuntu core also uses lxd from snap)
--
Fajar
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20200615/47c53250/attachment.htm>
More information about the lxc-users
mailing list