Has someone managed to get an unprivileged lxc container running or are only privileged containers possible?
Looking at the requirements it does not appear likely though
Kernel: 3.13 + a couple of staging patches
User namespaces enabled in the kernel
A very recent version of shadow that supports subuid/subgid
: Per-user cgroups on all controllers
LXC 1.0 beta2 or higher
: A version of PAM with a loginuid patch
I unfortunately could not as I have not look in to it and have no time right now to investigate. You are free to investigate and provide patches if you can get it to work.
I would start by creating user instead doing bootstrap as a root with correct subuid and subgid allocation according to LXC documentation. Also you have to use containers from linuxcontainers and not from us.
I would not choose these words. It has to be seen in a context. They can be considered as a high security risk on otherwise well secured user specific system like Debian but not on OpenWrt. Let me explain. OpenWrt for a long time targets market where security between applications them self is less important over external security. Add in need to run on pretty small and weak device and you have current state where everything to note runs as root. OpenWrt is just not a system you hand out ssh keys to other people to have their accounts there I think. There is a progress to improve this. If you want to help OpenWrt then there are more pressing potential security issues there I feel like. After those we can talk about security risks of running privileged container where to escape you have to have bug in LXC or in kernel which is same attack vector as in case of any other application on OWrt system and gives you same level of access to system (well that is full access). In other words not investing time to unprivileged containers is not because of my ignorance but rather because there are other issues with higher priority.