First, thanks for the detailed and fast response, very appreciated. As indicated, the code that will run inside that container is our previous OS and if it does bad things, well, that means it was doing so previously so not a "bigger" issue than it was before. Since if that works, we will move more towards snap we will then have a better security system (AppArmor, SecComp, better app separation, etc) in place to remove trust for each app and get rid eventually of that container which purpose as indicated is to ease the transition and get some of the features we want from Ubuntu Core in an early release, if we do get this to work.
-- Yannick Koehler ________________________________ From: lxc-users <lxc-users-boun...@lists.linuxcontainers.org> on behalf of Fajar A. Nugraha <l...@fajar.net> Sent: June 13, 2020 12:53 AM To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> Subject: Re: [lxc-users] Running unprotected system container On Sat, Jun 13, 2020 at 9:41 AM Koehler, Yannick <yannick.koeh...@hpe.com> wrote: > > Hi, > > I am in a situation where we desire to run our old OS environment inside > Ubuntu Core. So far we have identified LXD as being a candidate to enable us > to run our past Linux OS environment within the new one. > > At this time our goal is to apply the least amount of modification to our > existing OS in order to test and validate such an approach. > > I, therefore, need to run an LXC container with pretty much zero security, as > to allow the old OS to loads kernel modules, access /proc, /sys, etc. > Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I > obtained an error as the profile 'none' was not found by the seccomp profile > reader. I am wondering if this is a problem with lxc itself or with > UbuntuCore not providing a definition of what a seccomp "none" profile would > be. Start from https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4 Then create something like /var/snap/lxd/common/lxd/extra/unrestricted.conf ------------------------------------------------ lxc.cap.drop = lxc.apparmor.profile = unconfined lxc.mount.auto = proc:rw sys:rw cgroup-full:rw lxc.cgroup.devices.allow = c *:* rwm lxc.cgroup.devices.allow = b *:* rwm lxc.seccomp.profile = /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf -------------------------------------------------------- 2 blacklist # v2 allows comments after the second line, with '#' in first column, # blacklist will allow syscalls by default Then put it on your lxd config config: raw.lxc: lxc.include=/var/snap/lxd/common/lxd/extra/unrestricted.conf Totally unsupported, you're on your own if something bad happens, etc. I was able to run mknod, "losetup -a", mount, and modprobe from my container, running lxd from snap under ubuntu 20.04 host (might be relevant for you since ubuntu core also uses lxd from snap) -- Fajar _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users