Fajar and Andrey, I run lxc-1.0 on embedded system and I don't have lxd on that platform. (i.e. I cross-compile lxc-1.0 from scratch no prebuild package available). And yes I run container with root privilege .
Can I have your mentioned features "use separate u/gid range for each container" and "limits which device nodes (block and char) allowed in the container" without existence of lxd? TC WU 2017-05-10 11:24 GMT+08:00 Fajar A. Nugraha <[email protected]>: > On Wed, May 10, 2017 at 4:22 AM, Andrey Repin <[email protected]> wrote: > >> Greetings, T.C 吳天健! >> >> > Its said privileged container is unsecured . For example, if a user in >> the >> > container (suppose it's running a service toward the public) hack the >> system >> > with some kind of root kit. >> >> This is not specifically correct. The road to compromising the container >> is >> rather thorny. >> Even if container is privileged and the container owner has root access >> inside >> the container, gaining any host advantage would be hard if not impossible, >> unless the host configuration is far from sane. >> >> > I am thinking of building a more secure container. The first idea is to >> > use unprivileged container; Second is apply cgroup to limit viewing of >> some >> > sensitive /dev files, and any recommendation? >> >> LXD by default is "secure" in sense that even if container is >> compromised, the >> effective UID the container user is running from has no rights on the >> host. >> >> > ... and there's also the option in lxd to use separate u/gid range for > each container (by default all unpriv lxd containers share the same u/gid > range). > > > >> > Summary >> > -use unprivileged container >> >> Right. >> >> > -cgroup to limit viewing of some /dev files >> >> Unnecessary in real-world application. >> >> > lxc and lxd already limits which device nodes (block and char) allowed in > the container. > > @T.C, what are your requirements/ideas that isn't already available in lxd? > > -- > Fajar > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
