On Tue, May 3, 2016 at 6:49 PM, Serge Hallyn <[email protected]> wrote:
> Quoting Umberto Nicoletti ([email protected]): > > Hi all, > > I am dipping my toes into LXC and I'm liking what I see so far. > > > > I have one question about privileges/security inside containers: I have > > started a container and then accessed it with: > > > > lxc exec c1 /bin/bash > > > > If I run netstat -anp it will refuse to show me process information for > > processes that I do not own (even though I appear to be root). > > > > For instance an haproxy instance listening on port 3000 appears as the > > following (haproxy is running as user haproxy): > > > > root@c1:~# netstat -anp | grep 3000 > > (Not all processes could be identified, non-owned process info > > will not be shown, you would have to be root to see it all.) > > tcp 0 0 127.0.0.1:3000 0.0.0.0:* > LISTEN > > - > > > > I am running the latest lxc/lxd on Ubuntu 16.04. > > > > From what I have read I understand there is some uid mapping going on > but I > > was hoping someone could explain it to me or point me in the right > > direction. > > If I understand your email right, you'll be interested in > > man 7 user_namespaces > > (also available at > http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html > ) > > Indeed your container root is privileged with respect to the container's > resources, but is not root on the host. /proc/self/uid_map will show > how container uids are mapped. For instances if you have > > root@trusty-gui:/# cat /proc/self/uid_map > 0 100000 65536 > > then root (uid 0) in the container is uid 100000 on the host. It > is privileged with respect to uids mapped into the container, which > are host uids 100000-165535. The container root is not privileged > against any task not owned by one of those host uids. > Thanks for taking the time to answer. This makes sense, still I don't understand why netstat won't show the pid and program for sockets owned by container processes like haproxy in my previous example. haproxy has uid 106 in the container which is mapped to uid 100106 on the host so it should be among those manageable by uid 0 (in the container). Umberto > > -serge > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
