Hi, i use currently unprivileged lxc containers on debian buster started as root. I use for every container a separate set of uid/gids.
If i start the container from root, the lxc-monitor is run by root on the host. Init is on uid 100000 (seen from host). If i start it as a regular user, lxc-monitor is run by uid 1000 and init in the container is at 101000 (seen from host). The containers are apache, postgres and postfix/courier. There are no other users able to login via ssh. postgres is just the backend for the other containers. lxc-ls shows: lxc-ls --fancy NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED mail RUNNING 1 - 192.xxx.xxx.xxx - true postgres RUNNING 1 - 192.xxx.xxx.xxx - true www RUNNING 1 - 192.xxx.xxx.xxx - true Debian Buster uses LXC 3.1.0 Is in this setup any security gained, if the containers are started as a separate user different that root on the host? I would prefer to start them as root from /var/lib/lxc as a simple lxc.auto.start = 1 let them be started at system boot. Greetings Georg _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users