You are not logged in.
- Topics: Active | Unanswered
#1 2017-07-26 20:59:24
- nerditup
- Member
- Registered: 2010-05-25
- Posts: 19
LXC - lxc-copy (OverlayFS) with Unprivileged Containers
I am attempting to setup a server which will host multiple Linux Containers using LXC. I aim to use the containers as a replacement of KVM Virtual Machines (a whole system, not a single app).
As it states in the wiki, "In general, running an unprivileged container is considered safer than running a privileged container since unprivileged containers have an increased degree of isolation by virtue of their design."
With that being said, I've noticed that once setting up an unprivileged container I am unable (Operation Not Permitted) to generate a snapshot of a container using OverlayFS. This is due to the fact that mounting overlay filesystems as an unprivileged user requires a patched overlayfs module, which introduces a (different) security risk.
What is a recommended solution for creating clones of unprivileged containers such that I can create a base container and generate new containers from this? Does anybody have experience setting up a bunch of containers where each can be used as a VPS for untrusted users?
Further thoughts: Is isolation of LXC containers in a multi-tenant environment truly possible?
Offline
#2 2017-07-26 21:08:04
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,691
- Website
Re: LXC - lxc-copy (OverlayFS) with Unprivileged Containers
I wrote that on the wiki based on some feedback from the lxc developers. I found some issues (can't remember what) with running them in unpri. mode... it very well could have been the lack of snapshots. Again, I don't remember. I am a big fan of base containers and overlayfs snapshots as well (nextcloud, openvpn, and pi-hole currently). I can't answer your specific question though.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline