How truly unprivileged containers work in lxc

Session information has not yet been published for this event.

*
Refereed Presentation
Scheduled: Thursday, November 3, 2016 from 11:45am – 12:30pm in Sweeney F

One Line Summary

Learn how Linux safely supports unprivileged users creating and starting containers.

Abstract

With the advent of user namespaces, the term ‘unprivileged container’ came to mean two different container types which share a common feature. All unprivileged containers run in a private user namespace, with the container root uid mapped to a non-root uid on the host. This has an obvious advantage
over privileged containers in that a compromise of a root owned daemon in such
a container does not necessarily compromise root on the host. However the two
types of unprivileged containers differ in how they are created and started.

The first type, which could more precisely be called “root-owned unprivileged container”, requires root privileges to create and start. Docker, lxc, lxd, libvirt, and openvz are all able to create this type of container.

The other type, which could more precisely be called a “pure unprivileged container”, is a container created and started by an unprivileged user without help from any root owned daemon. This has the advantage over root-owned unprivileged containers of reducing the privilege which a user must be granted in order to be allowed to start containers. As such it also makes using containers as a part of a sandboxing solution less heavyweight. On the other hand, root-owned unprivileged containers are able to spawn a wider range of container types (for instance, block-device-backed) than the other type, by virtue of the launching process and container monitor having increased privileges. Currently only lxc can provide pure unprivileged containers.

In this talk I will go over (1) precisely how lxc is able to provide these containers; (2) which pieces of privilege need to be delegated; and (3) what future functionality could further improve these containers. It may or may not end in a poll to select a new name for pure unprivileged containers, free ice cream, and unicorn berets.

Presentation Materials

slides

Speaker

Leave a private comment to organizers about this proposal