Hello,
i would like to know the risk to run a LXC container with the following ruleset in a shared public env.:
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
these rules making it possible to flawlessly use VPN tun devices and to run Docker inside of LXC.
i would like to stay with the flexability of LXC but want to give my client the possiblity to run Docker and VPN like software on there instances.
Beside i would also like to know who i can set these rules as a default vaule for every new container that gets created without to manually edit the LXC conf file located at /etc/pve/lxc/10x.conf
is this solution a good idea?
thanks in advance
i would like to know the risk to run a LXC container with the following ruleset in a shared public env.:
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
these rules making it possible to flawlessly use VPN tun devices and to run Docker inside of LXC.
i would like to stay with the flexability of LXC but want to give my client the possiblity to run Docker and VPN like software on there instances.
Beside i would also like to know who i can set these rules as a default vaule for every new container that gets created without to manually edit the LXC conf file located at /etc/pve/lxc/10x.conf
is this solution a good idea?
thanks in advance
