Print "My saved-uid is $SUID, effective-uid is $EUID ", Simply don't do any of the configuration described above and LXC will create privileged containers.Proc::UID - Manipulate a variety of UID and GID settings. If you still have to create privileged containers, it's quite simple. Privileged containers are containers created by root and running as root.ĭepending on the Linux distribution, they may be protected by some capability dropping, apparmor profiles, selinux context or seccomp policies but ultimately, the processes still run as root and so you should never give access to root inside a privileged container to an untrusted party. Root doesn't need network devices quota and uses the global configuration file so the other steps don't apply.Īny container you create as root from that point on will be running unprivileged. And then set that range in /etc/lxc/nf using lxc.idmap entries similar to those above.Īnd that's it. Specifically, you need to manually allocate a uid and gid range to root in /etc/subuid and /etc/subgid. To run a system-wide unprivileged container (that is, an unprivileged container started by root) you'll need to follow only a subset of the steps above. By default, your user isn't allowed to create any network device on the host, to change that, add:Ĭreating unprivileged containers as root ¶ Next up is /etc/lxc/lxc-usernet which is used to set network devices quota for unprivileged users. If not, you'll have to use usermod to give yourself one. On Ubuntu systems, a default allocation of 65536 uids and gids is given to every new user on the system, so you should already have one. The following instructions assume the use of a recent Ubuntu system or an alternate Linux distribution offering a similar experience, i.e., a recent kernel and a recent version of shadow, as well as libpam-cgfs and default uid/gid allocation.įirst of all, you need to make sure your user has a uid and gid map defined in /etc/subuid and /etc/subgid. Instead you should use the "download" template which will provide you with pre-built images of the distributions that are known to work in such an environment. any operation against a uid/gid outside of the mapped setīecause of that, most distribution templates simply won't work with those.Unfortunately this also means that the following common operations aren't allowed: So should something go very wrong and an attacker manages to escape the container, they'll find themselves with about as many rights as a nobody user. That means that uid 0 (root) in the container is actually something like uid 100000 outside the container. Those use a map of uid and gid to allocate a range of uids and gids to a container. Unprivileged containers are the safest containers. On such an Ubuntu system, installing LXC is as simple as:Ĭreating unprivileged containers as a user ¶ Ubuntu is also one of the few (if not only) Linux distributions to come by default with everything that's needed for safe, unprivileged LXC containers. LXC bugfix releases are available directly in the distribution package repository shortly after release and those offer a clean (unpatched) upstream experience. If using Ubuntu, we recommend you use Ubuntu 18.04 LTS as your container host. Either directly in the distribution's package repository or through some backport channel.įor your first LXC experience, we recommend you use a recent supported release, such as a recent bugfix release of LXC 4.0. In most cases, you'll find recent versions of LXC available for your Linux distribution. libseccomp (to set a seccomp policy for the container).libselinux (to set a different selinux context for the container).libapparmor (to set a different apparmor profile for the container).A recent version of shadow including newuidmap and newgidmap.libpam-cgfs configuring your system for unprivileged CGroups operation.One of glibc, musl libc, uclib or bionic as your C libraryĮxtra dependencies for unprivileged containers:.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |