Quoting Umberto Nicoletti ([email protected]): > Hi all, > I am dipping my toes into LXC and I'm liking what I see so far. > > I have one question about privileges/security inside containers: I have > started a container and then accessed it with: > > lxc exec c1 /bin/bash > > If I run netstat -anp it will refuse to show me process information for > processes that I do not own (even though I appear to be root). > > For instance an haproxy instance listening on port 3000 appears as the > following (haproxy is running as user haproxy): > > root@c1:~# netstat -anp | grep 3000 > (Not all processes could be identified, non-owned process info > will not be shown, you would have to be root to see it all.) > tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN > - > > I am running the latest lxc/lxd on Ubuntu 16.04. > > From what I have read I understand there is some uid mapping going on but I > was hoping someone could explain it to me or point me in the right > direction.
If I understand your email right, you'll be interested in man 7 user_namespaces (also available at http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html ) Indeed your container root is privileged with respect to the container's resources, but is not root on the host. /proc/self/uid_map will show how container uids are mapped. For instances if you have root@trusty-gui:/# cat /proc/self/uid_map 0 100000 65536 then root (uid 0) in the container is uid 100000 on the host. It is privileged with respect to uids mapped into the container, which are host uids 100000-165535. The container root is not privileged against any task not owned by one of those host uids. -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
