To illustrate the power of UID mapping, consider the output below from a running, unprivileged container. This article contains information for users to run either type of container, but additional steps may be required in order to use unprivileged containers.Īn example to illustrate unprivileged containers Similarly, with the linux-hardened package, unprivileged containers are only available for the system administrator with additional kernel configuration changes required, as user namespaces are disabled by default for normal users there. The Arch linux, linux-lts and linux-zen kernel packages currently provide out-of-the-box support for unprivileged containers. In other words, if an attacker manages to escape the container, they should find themselves with limited or no rights on the host. Key to this is the mapping of the root UID within the container to a non-root UID on the host, which makes it more difficult for a hack inside the container to lead to consequences on the host system. In general, running an unprivileged container is considered safer than running a privileged container, since unprivileged containers have an increased degree of isolation by virtue of their design. LXCs can be setup to run in either privileged or unprivileged configurations. Privileged containers or unprivileged containers This page deals with using LXC directly.Īlternatives for using containers are systemd-nspawn or Docker. It is similar to a chroot, but offers much more isolation. This is provided by the namespaces and cgroups features in the Linux kernel on the LXC host. space and the resource control mechanism. It does not provide a virtual machine, but rather provides a virtual environment that has its own CPU, memory, block I/O, network, etc. Linux Containers (LXC) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a single control host (LXC host).
0 Comments
Leave a Reply. |