You are not logged in.

#1 2017-07-26 20:59:24

nerditup
Member
Registered: 2010-05-25
Posts: 19

LXC - lxc-copy (OverlayFS) with Unprivileged Containers

I am attempting to setup a server which will host multiple Linux Containers using LXC. I aim to use the containers as a replacement of KVM Virtual Machines (a whole system, not a single app).

As it states in the wiki, "In general, running an unprivileged container is considered safer than running a privileged container since unprivileged containers have an increased degree of isolation by virtue of their design."

With that being said, I've noticed that once setting up an unprivileged container I am unable (Operation Not Permitted) to generate a snapshot of a container using OverlayFS. This is due to the fact that mounting overlay filesystems as an unprivileged user requires a patched overlayfs module, which introduces a (different) security risk.

What is a recommended solution for creating clones of unprivileged containers such that I can create a base container and generate new containers from this? Does anybody have experience setting up a bunch of containers where each can be used as a VPS for untrusted users?

Further thoughts: Is isolation of LXC containers in a multi-tenant environment truly possible?

Offline

#2 2017-07-26 21:08:04

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: LXC - lxc-copy (OverlayFS) with Unprivileged Containers

I wrote that on the wiki based on some feedback from the lxc developers.  I found some issues (can't remember what) with running them in unpri. mode... it very well could have been the lack of snapshots.  Again, I don't remember.  I am a big fan of base containers and overlayfs snapshots as well (nextcloud, openvpn, and pi-hole currently).  I can't answer your specific question though.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

Board footer

Powered by FluxBB