Table of Contents
LXC - Permissions
Ubuntu is also one of the few Linux distributions to come by default with everything that's needed for safe, unprivileged LXC containers.
If using Ubuntu, it is recommended to use Ubuntu 18.04 LTS or higher as your container host.
Permissions
Unprivileged containers are the safest containers.
Those use a map of uid and gid to allocate a range of uids and gids to a container.
That means that uid 0 (root) in the container is actually something like uid 100000 outside the container.
So should something go very wrong and an attacker manages to escape the container, they'll find themselves with about as many rights as a nobody user.
Configure Unprivileged Containers
Ensure your user has a uid and gid map defined in /etc/subuid and /etc/subgid.
Check /etc/subuid.
- /etc/subuid
peter:100000:65536
and Check /etc/subgid.
- /etc/subgid
peter:100000:65536
NOTE: On Ubuntu systems, a default allocation of 65536 uids and gids is given to every new user on the system, so you should already have one.
If not, you'll have to use usermod to give yourself one:
sudo usermod --append --groups lxd peter
or
sudo usermod -a -G lxd peter
By adding the non-root Unix user account to the lxd group, allows that user to run any lxc commands without prepending sudo. Without this addition, you would have needed to prepend sudo to each lxc command.