Table of Contents

LXC - Permissions

Ubuntu is also one of the few Linux distributions to come by default with everything that's needed for safe, unprivileged LXC containers.

If using Ubuntu, it is recommended to use Ubuntu 18.04 LTS or higher as your container host.


Permissions

Unprivileged containers are the safest containers.

Those use a map of uid and gid to allocate a range of uids and gids to a container.

That means that uid 0 (root) in the container is actually something like uid 100000 outside the container.

So should something go very wrong and an attacker manages to escape the container, they'll find themselves with about as many rights as a nobody user.


Configure Unprivileged Containers

Ensure your user has a uid and gid map defined in /etc/subuid and /etc/subgid.

Check /etc/subuid.

/etc/subuid
peter:100000:65536

and Check /etc/subgid.

/etc/subgid
peter:100000:65536

NOTE: On Ubuntu systems, a default allocation of 65536 uids and gids is given to every new user on the system, so you should already have one.

If not, you'll have to use usermod to give yourself one:

sudo usermod --append --groups lxd peter

or

sudo usermod -a -G lxd peter

By adding the non-root Unix user account to the lxd group, allows that user to run any lxc commands without prepending sudo. Without this addition, you would have needed to prepend sudo to each lxc command.