LXC unprivileged container - currently not supported

Has someone managed to get an unprivileged lxc container running or are only privileged containers possible?

Looking at the requirements it does not appear likely though

:white_check_mark: Kernel: 3.13 + a couple of staging patches
:white_check_mark: User namespaces enabled in the kernel
:white_check_mark: A very recent version of shadow that supports subuid/subgid
:white_check_mark: : Per-user cgroups on all controllers
:white_check_mark: LXC 1.0 beta2 or higher
:question: : A version of PAM with a loginuid patch

Curiously this hints at either attempts been made at upstream or it should somehow be feasible. Though I could not find that code in the TOS repo.

With the necessary package provided in the TO repo it should be feasible.

1 Like

@n8v8r Have you succeeded in this? I’ve just started looking into it and so far not very lucky. I’m on TurrisOS 4.0.1.

Currently not supported - see links for developer comment

1 Like

@cynerd This is absolutely needed. Privileged containers are a massive security risk.

Could you elaborate a bit on what would be needed to enable this?

Thanks!

I unfortunately could not as I have not look in to it and have no time right now to investigate. You are free to investigate and provide patches if you can get it to work.

I would start by creating user instead doing bootstrap as a root with correct subuid and subgid allocation according to LXC documentation. Also you have to use containers from linuxcontainers and not from us.

I would not choose these words. It has to be seen in a context. They can be considered as a high security risk on otherwise well secured user specific system like Debian but not on OpenWrt. Let me explain. OpenWrt for a long time targets market where security between applications them self is less important over external security. Add in need to run on pretty small and weak device and you have current state where everything to note runs as root. OpenWrt is just not a system you hand out ssh keys to other people to have their accounts there I think. There is a progress to improve this. If you want to help OpenWrt then there are more pressing potential security issues there I feel like. After those we can talk about security risks of running privileged container where to escape you have to have bug in LXC or in kernel which is same attack vector as in case of any other application on OWrt system and gives you same level of access to system (well that is full access). In other words not investing time to unprivileged containers is not because of my ignorance but rather because there are other issues with higher priority.