Root Docker in unprivileged lxc - safe or not?

P

proxwolfe

Renowned Member
Jun 20, 2020
548
67
68
51
Hi,

A question for security experts:

If I run docker (the traditional way, as root) in an unprivileged lxc - is that a security risk for the pve host?

My understanding is that running docker as root is, per se, a security risk. However, in an unprivileged lxc, the lxc's root (as which the docker daemon runs) is not an actual root on the pve host but rather a normal user with limited privileges. Thus, it would seem to me that this setup should not be overly unsafe.

Is this correct?

Would it still be a substantial security improvement to run docker rootless (where the docker app accepts that) or would that just be a lot of work for little security gain?

Thanks!
 
  • Like
Reactions: stringpark
hi,

proxwolfe said:
If I run docker (the traditional way, as root) in an unprivileged lxc - is that a security risk for the pve host?

My understanding is that running docker as root is, per se, a security risk. However, in an unprivileged lxc, the lxc's root (as which the docker daemon runs) is not an actual root on the pve host but rather a normal user with limited privileges. Thus, it would seem to me that this setup should not be overly unsafe.
Click to expand...
since running docker involves enabling nesting (which exposes /proc and /sys of the host to the container), it can still be possible to break out of the LXC when nesting is enabled, but as you mentioned the uid of the LXC-root is an unprivileged user on the PVE host. what you'll need to consider is whether that's a risk for you, if you're providing access to your docker for untrusted users, then it might make sense to run docker in a VM instead, since there's better separation there with fully virtualized kernels (compared to LXC where host kernel is re-used).

proxwolfe said:
Would it still be a substantial security improvement to run docker rootless (where the docker app accepts that) or would that just be a lot of work for little security gain?
Click to expand...
you can try following [0] and see if it works (i've never tried this in LXC), it might add another layer for a potential intruder's privilege escalation efforts

[0]: https://docs.docker.com/engine/security/rootless/
 
  • Like
Reactions: alexdelprete
Thanks. I have been planning to try rootless for a while. I might give it a shot.
 
You must log in or register to reply here.
Top Bottom
Back