Thanks for your answer. Looks like there is good ressources . Cordialement,
Benoît Georgelin De: "Luis M. Ibarra" <[email protected]> À: "lxc-users" <[email protected]> Envoyé: Lundi 17 Août 2015 12:41:43 Objet: Re: [lxc-users] LXC and Unprivileged containers - purpose and status - talks Hi all, There's going to be excellent talks in ContainerCon[1] this week, but I don't know if the talks are going to be streamed later. For User Namespaces, I follow this tutorial[2] which explains pretty well how user namespaces work. Also, check user_namespaces(7) and capabilities(7), here you find pretty much how linux capabilities is used in conjunction with user namespaces to get super user inside the container regarding being created as a normal user in the host. Finally, in lxd/specs/userns-idmap[3] you'll find many cases where user namespaces can save your life if things go really wrong. If you want a simple solution of unpriv containers, you should check LXD which is really awesome, but it's still in heavy development. [1] http://events.linuxfoundation.org/events/containercon/program/schedule [2] https://www.youtube.com/watch?v=kKCdPouT-dQ [3] https://github.com/lxc/lxd/blob/master/specs/userns-idmap.md Greetings, 2015-08-17 3:17 GMT-05:00 Narcis Garcia < [email protected] > : I've read somewhere: "Ubuntu is also one of the few (if not only) Linux distributions to come by default with everything that's needed for safe, unprivileged LXC containers" - and not LTS versions. El 17/08/15 a les 06:48, Benoit GEORGELIN - Association Web4all ha escrit: > Hi lxc-users :) > > I'm currently working and playing around with LXC containers. I came > across "Unprivileged Containers" > I would like to get some feedback about this really interesting feature. > It's not easy to get a good tour about the technology and about the > maturity of this kind of containers. First because I'm not technical > enough to understand the differences between LXC and OpenVZ (besides > Cgroups and kernels needs) , second because I'm not able to find > documentation, talks or paper about it. > I'm here to talk about it, try to merge information from you guys and > eventually make something public that can be shared to everyone having > the same questions :) > > As I'm looking at containers for shared environments, I'm more concerned > about security. There is few concerns I have regarding LXC with both > privileged and unprivileged containers. > > -Network stand point > > By default LXC have great network management and integration (with > privileged containers) but this is without any secure solution about > network spoofing (MAC, IP, Etc..) > I know, maybe it's not LXC's business to manage network like that, but > looking how good is the project seems to be, I'm really surprised there > is not any solutions that comes with LXC to integrate those kind of > (basics) security. > > One container=>One MAC address=> One or more specifics IP address. > > Even if the goal of linuxcontainers is to be "vendor neutral" I think > there something missing here to be more "user friendly" and "out of the > box" . I think most of LXC user will have more than one containers to > deploy and it may be the best to provide easy integrated solution > regarding this specific > aspect of networking. > > I Have been using OpenVswitch (Open Flow) to add such security but from > what I can tell, this is not documented and self learning on those > technology take a long time. You can see the archive here > : > https://www.mail-archive.com/[email protected]/msg03609.html > > > (?) What should the position be when you need to deploy lots of LXC > containers and give root access to the container ? > The question doesn't happen with unprivileged containers, looks like > there is no way to change network info, but this is not the solution if > you wanna run privileged containers and stay safe. > > - System security stand point > > Dmesg > As a simple and quick test, dmesg information of the HOST are in the > unprivileged container. > (?) Maybe there is a technical limit about that ? > > (?) What can be the best way to understand more how build are > unprivileged container and what can be done to help . Is this only about > Cgroups? Apparmor ? both? > Maybe have more information about the interaction between security parts > will be a nice to have :) > > > - Maturity of the solution with unprivileged containers. > I know there is a lot of things going on with this kind of containers. I > would like to know more about the perspective and the goal . > > (?) what unprivileged containers are made for ? > (?) Is this only to prevent security issues from any process running out > of an LXC (privileged) container ? > Or is it more to give the opportunity to no-root user to execute > LXC containers ? > > (?) Let's say it's for security purpose only in case of a process > running out of a container, how big is the possibility that happen ? > from one to ten ? > > Story of my first experience with unprivileged container : > > I'm running debian jessie to try my first unprivileged container. > lxc-create -n debian8 -t downlowd -- -d debian -r jessie -a amd64 > > First thing I wanna do, install sshd daemon . No problem. > Second thing, starting sshd after install : service sshd restart . > Result: [sshd] <defunct> > Looks like there is something weird... > service sshd start : Result : Process running > But wait, not able to connect . :/ > I had to : sed -ri 's/^session\s+required\s+pam_loginuid.so$/session > optional pam_loginuid.so/ ' /etc/pam.d/sshd > > (?) Now I can connect but "pam_loginuid" cannot be used at all ? > > Then , what can I see, every SSHD connection failure show a new sshd > <defunct> process > > ps auxf|grep sshd|grep defunct|wc -l > 503 > > (?) any idea or know problem ? Is something on my configuration ? > > It happen with others process like : > [chef-client] <defunct> > [bash] <defunct> > [sshd] <defunct> > > I just wanna understand if those issue are definitively a miss > configuration on my side or that can be easily explained ? :( > > - init.d with unprivileged > (?) Maybe because I have a lack of knowledge in this area, but why > there is nothing starting up automatically from a unprivileged container ? > (?) What can be used as a workaround ? > > > Well, beside those points, I can get an unprivileged container running > httpd, php5, mysql :) > Pretty quick and easy . Templates are a very good thing to use . (thx) > > Now I'm looking forward to read your experience and share some technical > or unprivileged containers story ! > > Cheers, > > > Cordialement, > > Benoît Georgelin > Afin de contribuer au respect de l'environnement, merci de n'imprimer ce > mail qu'en cas de nécessité > > > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users > _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users -- Luis M. Ibarra _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
