Le 18/06/2015 06:35, Serge Hallyn a écrit :
Quoting Xavier Gendre ([email protected]):
Le 15/06/2015 17:17, Serge Hallyn a écrit :
Quoting Xavier Gendre ([email protected]):
Hi,
i wanted to run a container in an unpriviledged container and i am
glad to succes in doing it. The point is that i am not sure if what
i did is acceptable from the security point of view or not...
Here are the steps i did:
1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in
its config file:
lxc.mount.auto = cgroup:mixed
3) create a basic container called 'p1' with the download template
as root in 'test'.
4) in the host, i chown the cgroup hierarchy of 'test' to give it to
the user id mapped to the id 0 in 'test' (this id is 362144 in my
example),
for T in `ls /sys/fs/cgroup`; do
chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
done
5) succesfully start the container 'p1' in 'test' :-)
I am not an expert with cgroups and i am wondering if i am letting
the devil enters in my home with that...
So, what is your opinion: is it a possible security break or is it safe?
Two things to make this safer
1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe
its 'tasks' and 'cgroup.procs' files. That way the container can create
sub-cgroups but cannot raise its own limits.
2. Only do this for the controllers you definately need. Freezer and
memory for example. Then set lxc.cgroup.use in /etc/lxc/lxc.conf
(see lxc.system.conf(5)).
-serge
Hello Serge,
thank you for your advices. Indeed, chowning only the directories is
sufficient to start the nested container. I did not have to chown
'tasks' and 'cgroup.procs' in order to simply start it.
Your second point is more obscur for me... For now, i have to chown
all the controllers:
'blkio' 'cpu,cpuacct' 'cpuset' 'devices' 'freezer'
'net_cls,net_prio' 'perf_event'
When you say 'need', it applies to the container 'test' or to 'p1'
in my example?
The child one, p1. With new enough lxc you should be able to
use only freezer, setting that as lxc.cgroup.use in the
system lxc.conf.
Arf, for now, i am still working with Debian Jessie and LXC 1.0.7. I
will be able to try your suggestions when more recent version of LXC
will appear in Debian repositories. Thus, i continue to chown my whole
list of controllers :-°
If i plan to allow quite general containers to run in
my unpriviledged container, all the controllers should be chowned or
is there some that are definitely not needed?
General containers are fine, it's only if you need the nested containers
to be more finely restricted, i.e. if you simply must be able to
allocated only a subset of test1's cpus or memory.
Ok, thanks for this example, it is clearer for me now.
Thank you for these explanations,
Xavier
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
