[lxc-users] Unprivileged networking option?
Serge E. Hallyn
serge at hallyn.com
Thu Mar 5 02:20:35 UTC 2020
On Wed, Mar 04, 2020 at 11:37:32PM +0300, Andrey Repin wrote:
> Greetings, Ede Wolf!
>
> > So please let me rephrase my question: Is there any alternative to
> > standard bridging for running unprivileged lxc containers?
>
> Is there a use case for unprivileged LXC containers?
> I fail to see one, and I'm using LXC for five-or-so years. If you are using
> bare LXC, you are likely spawning new ones infrequently and each have its own
> unique purpose. If that's not true, you're better off using
> LXD/docker-swarm/etc.
https://www.youtube.com/watch?v=J34UzHo4G5w
For starters, awesome as lxd is, it doesn't qualify as fully
unprivileged containers, because the containers are *started* by root.
With lxc containers you can get very close. You need setuid-root
newuidmap and newgidmap to create userid mappings, and you currently
need a privileged lxc-user-nic to setup network.
By intercepting network connection related syscalls, you can avoid
the need for privileged lxc-user-nic.
And yeah, while I use lxd for spawning containers on remote hosts, I
use lxc on my own home server and my laptop.
More information about the lxc-users
mailing list