Wiki

User Tools

Site Tools

Trace: docker_in_lxc_privileged_container
proxmox:guests_vms_and_containers:docker:methods_for_running_docker_containers_in_proxmox:docker_in_lxc_privileged_container

Table of Contents

Proxmox - Guests (VMs and Containers) - Docker - Methods for running Docker containers in Proxmox - Docker in LXC privileged container

ALERT: This method should not be used in a production environment.

WARNING: A privileged container is not very secure.

  • A privileged container basically means that the root user in the container is the root user of the host, so if someone were to compromise your container and break out of it, they would have root access on your host.
  • The root uid 0 in the container is still equal to uid 0 outside of the container.
  • The risk is that an exploit through proc, sys or some random syscalls, may escape the container and get access to any host.
  • As the host id using uid 0, then this escape would run as root on the host.
  • Container uid 0 is mapped to the host uid 0.
  • Protection of the host and prevention of escape is entirely done through Mandatory Access Control (apparmor, selinux), seccomp filters, dropping of capabilities and namespaces.
  • There are a number of exploits which will escape such containers and get full root privileges on the host.
  • Some of those exploits can be trivially blocked and LXC security policies are updated once these become known.
  • But some others are not blockable as they would require blocking so many core features that the average container would become completely unusable.
  • This method should not be used in production.

Add Kernel Modules

On the Proxmox host, edit /etc/modules-load.d/modules.conf.

Add the aufs and overlay kernel modules.

/etc/modules-load.d/modules.conf
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
aufs
overlay

Restart the Proxmox host.

Create an LXC container

NOTE: Use whatever settings and OS you want.

  • Ensure that unprivileged container is not checked.
  • Do not start the container yet.

In Proxmox, edit the /etc/pve/lxc/{id}.conf file

  • where {id} is the ID given to your container:
/etc/pve/lxc/{id}.conf
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

Start the container.

In the container, create /etc/docker/daemon.json and make the contents:

/etc/docker/daemon.json
{
  "storage-driver": "overlay2"
}

Install Docker

apt update
apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io

References

https://linuxcontainers.org/lxc/security/

https://brauner.github.io/2019/02/12/privileged-containers.html

proxmox/guests_vms_and_containers/docker/methods_for_running_docker_containers_in_proxmox/docker_in_lxc_privileged_container.txt · Last modified: 2021/07/05 01:09 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki