LXC Unprivileged enabling docker - Security risk?

[gmbeniamin]

We would like to enbable nesting and keyctl for our LXC containers. Our customers demand these features so they can install and use Docker.

There are (fairly old) posts suggesting this would be a security risk and we should be careful if we really want to do it as it could be possible for an user to access the host node. However, recent posts suggest this is not a security risk anymore as the technology evolved and it is safer to do so.

We would like to know if, at this moment, enabling those 2 options is safe in production and safe for our customers and their valuable data.

 

[oguz]

hi,

it's not recommended, since this is always a risk as it will expose /sys and /proc of your host with read-write permissions inside the container.

some find comfort in the fact that the unprivileged container's root user is mapped to an unprivileged user on the host machine, but still this setup could lead to container breakout in some cases (also depends on your configuration).

However, recent posts suggest this is not a security risk anymore as the technology evolved and it is safer to do so.

which post is that?

if you have security concerns with LXC running docker you should rather let your customers run docker in a full VM, where it's separated from the host kernel.

 

[tony-monatan]

Hi Oguz,

so you would always prefer a classic VM over a LXC container for public web applications?

Cheers

 

[oguz]

Hi Oguz,

so you would always prefer a classic VM over a LXC container for public web applications?

Cheers

no not necessarily.

as i said it depends on the exact configuration. but generally speaking for better separation it's recommended to use a VM.

if you're not concerned with that, then a container will also do fine for your case.

you have to decide the advantage or disadvantage of your setup

 

[gmbeniamin]

https://forum.proxmox.com/threads/running-docker-containers-in-proxmox-containers.81660/

This is the thread that made me think about running docker in a unprivileged container. I am a bit concerned about this. As a last resort I would rather create a VM, but I would really prefer to use LXC, as it is much easier to monitor, access, etc.