LXC Unprivileged enabling docker - Security risk?

gmbeniamin

New Member
Feb 5, 2021
19
1
3
28
We would like to enbable nesting and keyctl for our LXC containers. Our customers demand these features so they can install and use Docker.

There are (fairly old) posts suggesting this would be a security risk and we should be careful if we really want to do it as it could be possible for an user to access the host node. However, recent posts suggest this is not a security risk anymore as the technology evolved and it is safer to do so.

We would like to know if, at this moment, enabling those 2 options is safe in production and safe for our customers and their valuable data.
 
hi,

it's not recommended, since this is always a risk as it will expose /sys and /proc of your host with read-write permissions inside the container.

some find comfort in the fact that the unprivileged container's root user is mapped to an unprivileged user on the host machine, but still this setup could lead to container breakout in some cases (also depends on your configuration).

However, recent posts suggest this is not a security risk anymore as the technology evolved and it is safer to do so.
which post is that?

if you have security concerns with LXC running docker you should rather let your customers run docker in a full VM, where it's separated from the host kernel.
 
  • Like
Reactions: gmbeniamin
Hi Oguz,

so you would always prefer a classic VM over a LXC container for public web applications?

Cheers
no not necessarily.

as i said it depends on the exact configuration. but generally speaking for better separation it's recommended to use a VM.

if you're not concerned with that, then a container will also do fine for your case.

you have to decide the advantage or disadvantage of your setup
 
  • Like
Reactions: gmbeniamin

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!