Ubuntu 24.04 - unsupported Ubuntu version '24.04'

[mathx]

Is there any way to run Ubuntu 24.04 via LXC with working networking and without the "nested" option on Proxmox ?

AFAIR Apache and MariaDB also need nesting these days...

 

[Johannes S]

Basically anything running a recent systemd (recent meaning released in the last five if not ten years at least) since systemd now has a quite powerful sandboxing and container mechanisms by itself (see https://wiki.archlinux.org/title/Systemd/Sandboxing https://wiki.debian.org/ServiceSandboxing and following posts by systemd developer Lennart Poettering https://0pointer.net/blog/projects/security.html https://0pointer.net/blog/systemd-for-administrators-part-xxi.html) that needs nesting. Thus nesting is also enabled by default on new containers since some ProxmoxVE Versions.

Any security fears are imho not grounded in reality: A service managed by systemd in unpriviliged container shouldn't be less secure than any process running bare metal as non-root user on the host even without the added sandboxing options of systemd. With them enabled and the additional security of lxc (using Linux control groups and namespaces) they are propably more secure than a service running as a non-root on the host.

If however you are running a priviliged LXC container it doesn't really matter whether you have nesting enabled or not since you are running as root:

Unprivileged Containers
Unprivileged containers use a new kernel feature called user namespaces. The root UID 0 inside the container is mapped to an unprivileged user outside the container. This means that most security issues (container escape, resource abuse, etc.) in these containers will affect a random unprivileged user, and would be a generic kernel security bug rather than an LXC issue. The LXC team thinks unprivileged containers are safe by design.

This is the default option when creating a new container.

Note If the container uses systemd as an init system, please be aware the systemd version running inside the container should be equal to or greater than 220.
Privileged Containers
Security in containers is achieved by using mandatory access control AppArmor restrictions, seccomp filters and Linux kernel namespaces. The LXC team considers this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. That’s why privileged containers should only be used in trusted environments.
https://pve.proxmox.com/wiki/Linux_Container#_security_considerations

Now if you are running a container in a distribution which doesn't use systemd but another init system (like Devuan or alpine) of course you don't need nesting (as long as you don't want to run a container inside that container) but that's another story This subdiscussion started with somebody running an Ubuntu container without nesting and Ubuntu uses systemd.