[lxc-users] Running unprotected system container

Saint Michael venefax at gmail.com
Mon Jun 15 12:58:06 UTC 2020


I have the same issue with plain LXC. Can somebody please post  a container
config that would have the same rights as the host?
I actually move around my app in a container, the host is immaterial. It
used to work fine until I upgraded Ubuntu to 20.04, since then I get
permission denied on a fifo located in /tmp.
I need to load kernel modules, etc. It has to be on equal footing with the
host
..


On Mon, Jun 15, 2020 at 8:41 AM Koehler, Yannick <yannick.koehler at hpe.com>
wrote:

> First, thanks for the detailed and fast response, very appreciated.
>
> As indicated, the code that will run inside that container is our previous
> OS and if it does bad things, well, that means it was doing so previously
> so not a "bigger" issue than it was before.  Since if that works, we will
> move more towards snap we will then have a better security system
> (AppArmor, SecComp, better app separation, etc) in place to remove trust
> for each app and get rid eventually of that container which purpose as
> indicated is to ease the transition and get some of the features we want
> from Ubuntu Core in an early release, if we do get this to work.
>
> --
> Yannick Koehler
> ------------------------------
> *From:* lxc-users <lxc-users-bounces at lists.linuxcontainers.org> on behalf
> of Fajar A. Nugraha <list at fajar.net>
> *Sent:* June 13, 2020 12:53 AM
> *To:* LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> *Subject:* Re: [lxc-users] Running unprotected system container
>
> On Sat, Jun 13, 2020 at 9:41 AM Koehler, Yannick
> <yannick.koehler at hpe.com> wrote:
> >
> > Hi,
> >
> > I am in a situation where we desire to run our old OS environment inside
> Ubuntu Core.  So far we have identified LXD as being a candidate to enable
> us to run our past Linux OS environment within the new one.
> >
> > At this time our goal is to apply the least amount of modification to
> our existing OS in order to test and validate such an approach.
> >
> > I, therefore, need to run an LXC container with pretty much zero
> security, as to allow the old OS to loads kernel modules, access /proc,
> /sys, etc.
>
>
> > Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I
> obtained an error as the profile 'none'  was not found by the seccomp
> profile reader.  I am wondering if this is a problem with lxc itself or
> with UbuntuCore not providing a definition of what a seccomp "none" profile
> would be.
>
> Start from
> https://urldefense.proofpoint.com/v2/url?u=https-3A__discuss.linuxcontainers.org_t_lxd-2Draw-2Dlxc-2Dlxc-2Dnet-2Di-2Dscript-2Dup_1131_4&d=DwIGaQ&c=C5b8zRQO1miGmBeVZ2LFWg&r=FOkYh2A8dNYYVi_BKN0oqYGgcvyiDQG4YX4Znrq6J3Q&m=DxXj36z9AKg0EUHoeBUL1lNES4ucPwMA592Spcehchc&s=zuqn99Y_QD8MjiGI1_Jq3wdGJKaLW0Bj4BOm_zLjWoM&e=
> <https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4>
>
> Then create something like
>
> /var/snap/lxd/common/lxd/extra/unrestricted.conf
> ------------------------------------------------
> lxc.cap.drop =
> lxc.apparmor.profile = unconfined
> lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
> lxc.cgroup.devices.allow = c *:* rwm
> lxc.cgroup.devices.allow = b *:* rwm
> lxc.seccomp.profile =
> /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf
>
>
> /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf
> --------------------------------------------------------
> 2
> blacklist
> # v2 allows comments after the second line, with '#' in first column,
> # blacklist will allow syscalls by default
>
>
> Then put it on your lxd config
> config:
>   raw.lxc: lxc.include=/var/snap/lxd/common/lxd/extra/unrestricted.conf
>
>
> Totally unsupported, you're on your own if something bad happens, etc.
> I was able to run mknod, "losetup -a", mount, and modprobe from my
> container, running lxd from snap under ubuntu 20.04 host (might be
> relevant for you since ubuntu core also uses lxd from snap)
>
> --
> Fajar
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20200615/9f6dc2be/attachment.htm>


More information about the lxc-users mailing list