Risk of privileged lxc containers and the lack of maintenance of the lxc package

lxc
security

#1

This is not meant as a scare crow but to raise awareness, considering

  1. lxc package is outdated and currently not maintained at OpenWRT (and neither at TOS)
  2. unprivileged containers are currently not supported in TOS3.x
  3. unpatched kernel vulnerabilities [1] [2]

1 | 2


#2

While the first statement on maintenance may be true, it doesn’t mean that the latter is.


#3

I am afraid it is though, if that is what you meant with latter


Not much of maybe I am afraid


#4

It doesn’t mean it won’t get maintenance: whether it could get a higher priority or not it is another matter entirely. That said, the obnoxious OpenWRT build system (in another life, I package software for Linux distributions, so I have at least a passing knowledge on the topic) makes adjustments less than ideal even for outside contributors.


#5

Look at the TOS Gitlab tree and you will see that is has not been maintained for quite some time.


#6

This may as it be, just that other packages are maintained notwithstanding and thus that can hardly be an excuse, if it was meant as one, for the package not being maintained.

Not sure whether you are aware/realize that

  • lxc version in TOS is 1.1.5 (from the LEDE repo) and which was never LTS but ceased to be supported by master upstream in January 2016
  • lxc version in OWRT mainline/master is currently 2.1 and which was never a LTS either and ceased support by master upstream in September 2018

#7

Someone willing might try to contribute a newer version if need be. It’s just harder for the reasons mentioned. (I’m sure that people from CZ.NIC would welcome such a contribution).


#8

As I’m not experienced with OpenWRT build system please forgive my naivety - but what would be needed to build a 3.03 version of lxc for TO? Taking source and build/package it against current kernel? Or does it need adjustments?
Edit: I’m asking just because I’m looking forward to setting up vms on my TO and this topic touches a nerve - if looking for isolation of software one would want to run the (advertised) vm functionality, but this functionality is outdated :slightly_frowning_face:


#9

Well I tried to compile LXC 2.1 from LEDE but compilation for Turris powerpcspe crashes on some error…


#10

Again my question - why not compile it directly from 3.0.3 source?