Debian buster LXC container

[Trulli]

Now with Buster released, is there any update to this how to properly handle Buster based LXC containers on Proxmox ? I do feel a bit uncomfortable to activate the nesting setting. Am i paranoid ?

 

[t.lamprecht]

Am i paranoid ?

As long as you use unprivileged CTs you can enable this without real implications.
For privileged CTs not really, I would not recommend it there for anything untrusted, e.g., hosted CTs..

We're talking and working with apparmor upstream to bring in the feature we need to ensure that we can allow the unproblematic things by default without also allowing possible problematic permissions, some of that work can be seen here https://gitlab.com/apparmor/apparmor/merge_requests/305 and superseded by https://gitlab.com/apparmor/apparmor/merge_requests/333
(some more uptodate discussions happens in IRC) The work is a bit complicated, apparmor supports a lot, and one really does not wants to break existing setups.

 

[cedric.bellegarde]

> As long as you use unprivileged CTs you can enable this without real implications.
> For privileged CTs not really, I would not recommend it there for anything untrusted, e.g., hosted CTs..

My main issue is that pam_ldap/pam_winbind does not work with unprivileged CTs so I'm forced to use privileged CTs.