Unprivileged containers are the safest containers.
Those use a map of uid and gid to allocate a range of uids and gids to a container.
That means that uid 0 (root) in the container is actually something like uid 100000
outside the container. So should something go very wrong and an attacker manages
to escape the container, they'll find themselves with about as many rights as a nobody user.
Unfortunately this also means that the following common operations aren't allowed:
Because of that, most distribution templates simply won't work with those.
Instead you should use the "download" template which will provide you with pre-built images
of the distributions that are known to work in such an environment.
Now, everything below assumes a recent Ubuntu system or another Linux distribution which offers
a similar experience (recent kernel, recent version of shadow, cgmanager and default uid/gid allocation).
First of all, you need to make sure your user has a uid and gid map defined in /etc/subuid and /etc/subgid.
On Ubuntu systems, a default allocation of 65536 uids and gids is given to every new user on the system,
so you should already have one. If not, you'll have to use usermod to give yourself one.
Next up is /etc/lxc/lxc-usernet which is used to set network devices quota for unprivileged users.
By default, your user isn't allowed to create any network device on the host, to change that, add:
This means that "your-username" is allowed to create up to 10 veth devices connected to the lxcbr0 bridge.
With that done, the last step is to create an LXC configuration file.
Those values should match those found in /etc/subuid and /etc/subgid, the values above are those expected
for the first user on a standard Ubuntu system.
Just before you create your first container, you probably should logout and login again,
or even reboot your machine to make sure that your user is placed in the right cgroups.
(This is only required if cgmanager wasn't installed on your machine prior to you installing LXC.)
And now, create your first container with:
The download template will show you a list of distributions, versions and architectures to choose from.
A good example would be "ubuntu", "trusty" (14.04 LTS) and "i386".
A few seconds later your container will be created and you can start it with:
You can then confirm its status with either of:
And get a shell inside it with:
Stopping it can be done with:
And finally removing it with:
To run a system-wide unprivileged container (that is, an unprivileged container started by root)
you'll need to follow only a subset of the steps above.
Specifically, you need to manually allocate a uid and gid range to root in /etc/subuid and /etc/subgid.
And then set that range in /etc/lxc/default.conf using lxc.id_map entries similar to those above.
And that's it. Root doesn't need network devices quota and uses the
global configuration file so the other steps don't apply.
Any container you create as root from that point on will be running unprivileged.
Privileged containers are containers created by root and running as root.
Depending on the Linux distribution, they may be protected by some capability dropping, apparmor profiles,
selinux context or seccomp policies but ultimately, the processes still run as root and so you should never
give access to root inside a privileged container to an untrusted party.
If you still have to create privileged containers, it's quite simple. Simply don't do any of the configuration
described above and LXC will create privileged containers.
So:
Will create a new "privileged-container" privileged container on your system using an image from the download template.
| Attribute(s): | Public | |||
| Created: | 07.04.2017 09:05 | Total Views: | 448 | |
| Last Changed: | 15.04.2017 05:03 | Total Changes: | 6 |
Δt = 0.043586015701294s