Wiki

User Tools

Site Tools

Trace: docker_in_lxc_unprivileged_container
proxmox:guests_vms_and_containers:docker:methods_for_running_docker_containers_in_proxmox:docker_in_lxc_unprivileged_container

Table of Contents

Proxmox - Guests (VMs and Containers) - Docker - Methods for running Docker containers in Proxmox - Docker in LXC unprivileged container

ALERT: This method should not be used in a production environment.

WARNING: More secure than a privileged container.

  • Processes running inside the container appear to run as root, but in reality on the host they are not appearing as root but as userid 100000 from the host.
  • An unprivileged container masks the userid from the host.
    • With unprivileged containers, non root users can create containers and will have and appear in the container as root but will appear as userid 10000 for example on the host.
      • Container uid 0 is mapped to an unprivileged user on the host.
      • A container breakout is still serious, but not as damaging as it is for a privileged container.
    • The use of SELinux, AppArmor, Seccomp and capabilities is not necessary for security.
    • LXC will still use those to add an extra layer of security which may be handy in the event of a kernel security issue but the security model is not enforced by them.
  • Can give compatibility problems, permissions challenges. Issues can include:
    • Mounting for example nfs shares due to uids.
      • You can mount the share in Proxmox and create a mount point for the unprivileged container but you lose migration then.
    • Using the host network and binding to a port < 1024.
      • Using any network-accessible service such as DNS, NTP, etc?
    • Writing to part of host file system that needs root privileges.
    • Using a VPN client in the LXC container.
  • Enabling the nesting option and keyctl option on an unprivileged container (Under Options → Features) can fix many of these issues.
  • This method should not be used in production.

Add Kernel Modules

On the Proxmox host, edit /etc/modules-load.d/modules.conf.

Add the aufs and overlay kernel modules.

/etc/modules-load.d/modules.conf
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
aufs
overlay

Restart the Proxmox host.

Create an LXC container

NOTE: Use whatever settings and OS you want.

  • Ensure that unprivileged container is checked.
  • Do not start the container yet.

In Proxmox, edit the /etc/pve/lxc/{id}.conf file

  • where {id} is the ID given to your container:
/etc/pve/lxc/{id}.conf
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:
lxc.mount.auto:

Start the container.

In the container, create /etc/docker/daemon.json and make the contents:

/etc/docker/daemon.json
{
  "storage-driver": "overlay2"
}

Install Docker

apt update
apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io

References

https://linuxcontainers.org/lxc/security/

https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/

proxmox/guests_vms_and_containers/docker/methods_for_running_docker_containers_in_proxmox/docker_in_lxc_unprivileged_container.txt · Last modified: 2021/07/05 01:16 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki