Running docker and autodev in a shared env.

[rsmvdl]

Hello,

i would like to know the risk to run a LXC container with the following ruleset in a shared public env.:

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

these rules making it possible to flawlessly use VPN tun devices and to run Docker inside of LXC.
i would like to stay with the flexability of LXC but want to give my client the possiblity to run Docker and VPN like software on there instances.
Beside i would also like to know who i can set these rules as a default vaule for every new container that gets created without to manually edit the LXC conf file located at /etc/pve/lxc/10x.conf

is this solution a good idea?

thanks in advance

 

[oguz]

Hi,

i would like to know the risk to run a LXC container with the following ruleset in a shared public env.

when you use unconfined AppArmor, it means any security check in-place from AppArmor will be ignored by the container. The risk here is, if you're using a privileged container, it might make it easier for a malicious user to escape from the container and gain root access on your host machine.

Beside i would also like to know who i can set these rules as a default vaule for every new container that gets created without to manually edit the LXC conf file located at /etc/pve/lxc/10x.conf

You can edit the default configuration file in /etc/lxc/default.conf and it will be applied to any newly created containers.