[lxc-users] Unprivileged networking option?

Fajar A. Nugraha list at fajar.net
Fri Mar 6 06:07:07 UTC 2020


On Thu, Mar 5, 2020 at 11:43 PM Ede Wolf <listac at nebelschwaden.de> wrote:
>
> Hello Andrey,
>
> thanks for getting back to me. The reason for unpriviledged containers
> is basically user id separation.
>
> I fancy the idea that each container has its own id (range) and the user
> ids are not being shared between containers (and the host).
>
> So it is another level of isolation and administration - in its simplest
> form be it just using "ps" where you can tell from the user id what
> container (os) the process belongs to.

While you mentioned plain lxc instead of lxd earlier, lxd might be
more suitable for you needs.

Does https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/
fit the bill?
Look for "isolated"

>
>
> More into classical os level virtualisation (jails, openvz) than  what
> is usually associated these days with the term "container".
> So there is no respawning, no stacked images, no orchestration, but a
> proper (albeit minimal) os installation. Without the overhead of a
> hypervisor.
>
> So lxc pretty much is the right tool. Would just be great if one could
> use level3 ip-vlan for easier filtering.

https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322
Look for "ipvlan".

You could also use nested lxd, so (for example) each user have access
to their own lxd container, with isolated idmap. Inside each
container, They can create and manage their own containers.

-- 
Fajar


More information about the lxc-users mailing list