Hello,
I run several containers on my server and, following the security
advices, they are unprivileged. Each container belongs to one user and I
am asking myself if this is a "good practice"...
Thus my question is if there are some differences between:
- an unprivileged container owned by root with 'lxc.id_map' in its
config file to make it unprivileged,
- a similar unprivileged container but owned by a classical user.
From the practical point of view, I have to admit that a container
owned by root is easier to handle but, from the security point of view,
is it more safe to give the unprivileged container to an user than to
root? Or is the namespace sufficient to avoid escape from an
unprivileged container that belongs to root?
What are your "good practices" in the matter? All belong to root? All
belong to one devoted user? Or, as what I do, one user for one container?
Thanks,
Xavier
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
