Root Docker in unprivileged lxc - safe or not?

P

proxwolfe

Well-Known Member
Jun 20, 2020
501
52
48
49
Hi,

A question for security experts:

If I run docker (the traditional way, as root) in an unprivileged lxc - is that a security risk for the pve host?

My understanding is that running docker as root is, per se, a security risk. However, in an unprivileged lxc, the lxc's root (as which the docker daemon runs) is not an actual root on the pve host but rather a normal user with limited privileges. Thus, it would seem to me that this setup should not be overly unsafe.

Is this correct?

Would it still be a substantial security improvement to run docker rootless (where the docker app accepts that) or would that just be a lot of work for little security gain?

Thanks!
 
  • Like
Reactions: stringpark
hi,

proxwolfe said:
If I run docker (the traditional way, as root) in an unprivileged lxc - is that a security risk for the pve host?

My understanding is that running docker as root is, per se, a security risk. However, in an unprivileged lxc, the lxc's root (as which the docker daemon runs) is not an actual root on the pve host but rather a normal user with limited privileges. Thus, it would seem to me that this setup should not be overly unsafe.
Click to expand...
since running docker involves enabling nesting (which exposes /proc and /sys of the host to the container), it can still be possible to break out of the LXC when nesting is enabled, but as you mentioned the uid of the LXC-root is an unprivileged user on the PVE host. what you'll need to consider is whether that's a risk for you, if you're providing access to your docker for untrusted users, then it might make sense to run docker in a VM instead, since there's better separation there with fully virtualized kernels (compared to LXC where host kernel is re-used).

proxwolfe said:
Would it still be a substantial security improvement to run docker rootless (where the docker app accepts that) or would that just be a lot of work for little security gain?
Click to expand...
you can try following [0] and see if it works (i've never tried this in LXC), it might add another layer for a potential intruder's privilege escalation efforts

[0]: https://docs.docker.com/engine/security/rootless/
 
  • Like
Reactions: alexdelprete
Thanks. I have been planning to try rootless for a while. I might give it a shot.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom