container features deployment limited to root

Discussion in 'Proxmox VE: Installation and configuration' started by alexskysilk, Feb 8, 2019.

Tags:
  1. alexskysilk

    alexskysilk Active Member

    Joined:
    Oct 16, 2015
    Messages:
    475
    Likes Received:
    51
    I have recently began deployment of nested containers following an orderly upgrade to 5.3, when I noticed that only a root user may actually flag the features. What is the rationale for this limitation? What are the implications of setting these flags I'm not considering?
     
  2. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,340
    Likes Received:
    286
    Security. A normal container should not have permissions to do all those things, as this can severely damage the host system (if a bad/untrusted user inside the container tries to hack you).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. alexskysilk

    alexskysilk Active Member

    Joined:
    Oct 16, 2015
    Messages:
    475
    Likes Received:
    51
    Thanks @dietmar , I had a gut feeling that this isnt benign just because we are not opening up the apparmor profile. Can you expand a bit more about the relationship of the nested flag and what apparmor is allowing/preventing when it is?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice