[lxc-users] Unprivileged networking option?

Serge E. Hallyn serge at hallyn.com
Thu Mar 5 02:20:35 UTC 2020


On Wed, Mar 04, 2020 at 11:37:32PM +0300, Andrey Repin wrote:
> Greetings, Ede Wolf!
> 
> > So please let me rephrase my question: Is there any alternative to
> > standard bridging for running unprivileged lxc containers?
> 
> Is there a use case for unprivileged LXC containers?
> I fail to see one, and I'm using LXC for five-or-so years. If you are using
> bare LXC, you are likely spawning new ones infrequently and each have its own
> unique purpose. If that's not true, you're better off using
> LXD/docker-swarm/etc.

https://www.youtube.com/watch?v=J34UzHo4G5w

For starters, awesome as lxd is, it doesn't qualify as fully
unprivileged containers, because the containers are *started* by root.
With lxc containers you can get very close.  You need setuid-root
newuidmap and newgidmap to create userid mappings, and you currently
need a privileged lxc-user-nic to setup network.

By intercepting network connection related syscalls, you can avoid
the need for privileged lxc-user-nic.

And yeah, while I use lxd for spawning containers on remote hosts, I
use lxc on my own home server and my laptop.


More information about the lxc-users mailing list