Hi all, There's going to be excellent talks in ContainerCon[1] this week, but I don't know if the talks are going to be streamed later.
For User Namespaces, I follow this tutorial[2] which explains pretty well how user namespaces work. Also, check user_namespaces(7) and capabilities(7), here you find pretty much how linux capabilities is used in conjunction with user namespaces to get super user inside the container regarding being created as a normal user in the host. Finally, in lxd/specs/userns-idmap[3] you'll find many cases where user namespaces can save your life if things go really wrong. If you want a simple solution of unpriv containers, you should check LXD which is really awesome, but it's still in heavy development. [1] http://events.linuxfoundation.org/events/containercon/program/schedule [2] https://www.youtube.com/watch?v=kKCdPouT-dQ [3] https://github.com/lxc/lxd/blob/master/specs/userns-idmap.md Greetings, 2015-08-17 3:17 GMT-05:00 Narcis Garcia <[email protected]>: > I've read somewhere: > "Ubuntu is also one of the few (if not only) Linux distributions to come > by default with everything that's needed for safe, unprivileged LXC > containers" - and not LTS versions. > > > El 17/08/15 a les 06:48, Benoit GEORGELIN - Association Web4all ha escrit: > > Hi lxc-users :) > > > > I'm currently working and playing around with LXC containers. I came > > across "Unprivileged Containers" > > I would like to get some feedback about this really interesting feature. > > It's not easy to get a good tour about the technology and about the > > maturity of this kind of containers. First because I'm not technical > > enough to understand the differences between LXC and OpenVZ (besides > > Cgroups and kernels needs) , second because I'm not able to find > > documentation, talks or paper about it. > > I'm here to talk about it, try to merge information from you guys and > > eventually make something public that can be shared to everyone having > > the same questions :) > > > > As I'm looking at containers for shared environments, I'm more concerned > > about security. There is few concerns I have regarding LXC with both > > privileged and unprivileged containers. > > > > -Network stand point > > > > By default LXC have great network management and integration (with > > privileged containers) but this is without any secure solution about > > network spoofing (MAC, IP, Etc..) > > I know, maybe it's not LXC's business to manage network like that, but > > looking how good is the project seems to be, I'm really surprised there > > is not any solutions that comes with LXC to integrate those kind of > > (basics) security. > > > > One container=>One MAC address=> One or more specifics IP address. > > > > Even if the goal of linuxcontainers is to be "vendor neutral" I think > > there something missing here to be more "user friendly" and "out of the > > box" . I think most of LXC user will have more than one containers to > > deploy and it may be the best to provide easy integrated solution > > regarding this specific > > aspect of networking. > > > > I Have been using OpenVswitch (Open Flow) to add such security but from > > what I can tell, this is not documented and self learning on those > > technology take a long time. You can see the archive here > > : > https://www.mail-archive.com/[email protected]/msg03609.html > > > > (?) What should the position be when you need to deploy lots of LXC > > containers and give root access to the container ? > > The question doesn't happen with unprivileged containers, looks like > > there is no way to change network info, but this is not the solution if > > you wanna run privileged containers and stay safe. > > > > - System security stand point > > > > Dmesg > > As a simple and quick test, dmesg information of the HOST are in the > > unprivileged container. > > (?) Maybe there is a technical limit about that ? > > > > (?) What can be the best way to understand more how build are > > unprivileged container and what can be done to help . Is this only about > > Cgroups? Apparmor ? both? > > Maybe have more information about the interaction between security parts > > will be a nice to have :) > > > > > > - Maturity of the solution with unprivileged containers. > > I know there is a lot of things going on with this kind of containers. I > > would like to know more about the perspective and the goal . > > > > (?) what unprivileged containers are made for ? > > (?) Is this only to prevent security issues from any process running out > > of an LXC (privileged) container ? > > Or is it more to give the opportunity to no-root user to execute > > LXC containers ? > > > > (?) Let's say it's for security purpose only in case of a process > > running out of a container, how big is the possibility that happen ? > > from one to ten ? > > > > Story of my first experience with unprivileged container : > > > > I'm running debian jessie to try my first unprivileged container. > > lxc-create -n debian8 -t downlowd -- -d debian -r jessie -a amd64 > > > > First thing I wanna do, install sshd daemon . No problem. > > Second thing, starting sshd after install : service sshd restart . > > Result: [sshd] <defunct> > > Looks like there is something weird... > > service sshd start : Result : Process running > > But wait, not able to connect . :/ > > I had to : sed -ri 's/^session\s+required\s+pam_loginuid.so$/session > > optional pam_loginuid.so/' /etc/pam.d/sshd > > > > (?) Now I can connect but "pam_loginuid" cannot be used at all ? > > > > Then , what can I see, every SSHD connection failure show a new sshd > > <defunct> process > > > > ps auxf|grep sshd|grep defunct|wc -l > > 503 > > > > (?) any idea or know problem ? Is something on my configuration ? > > > > It happen with others process like : > > [chef-client] <defunct> > > [bash] <defunct> > > [sshd] <defunct> > > > > I just wanna understand if those issue are definitively a miss > > configuration on my side or that can be easily explained ? :( > > > > - init.d with unprivileged > > (?) Maybe because I have a lack of knowledge in this area, but why > > there is nothing starting up automatically from a unprivileged container > ? > > (?) What can be used as a workaround ? > > > > > > Well, beside those points, I can get an unprivileged container running > > httpd, php5, mysql :) > > Pretty quick and easy . Templates are a very good thing to use . (thx) > > > > Now I'm looking forward to read your experience and share some technical > > or unprivileged containers story ! > > > > Cheers, > > > > > > Cordialement, > > > > Benoît Georgelin > > Afin de contribuer au respect de l'environnement, merci de n'imprimer ce > > mail qu'en cas de nécessité > > > > > > > > _______________________________________________ > > lxc-users mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users -- Luis M. Ibarra
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
