ufw unable to log in LXC-Container (unpriv) / accessproblem rsyslog - run it privileged?

[mcdaniels]

Hi,
I restarted running proxmox on a "Minipc" with only a Intel Celeron (4 Cores), 32 GB and about 600GB of SSD-discspace. The box has got 2 NICS.

In this proxmox-environment I set up (all unprivileged):
1x LXC Debian Mariadb
1x LXC Debian NGINX Proxy Manager
1x LXC Debian Apache
1x LXC Debian Pihole

The Nginx Proxy Manager receives all request from the Internet (443,80) and passes it through to the LXC-machines.

I also set up a ufw-firewall on the Nginx Proxy Manager. The firewall is working, but I am unable to see logs / ufw can not log because of a rsyslogd access-problem (coming from the unprivileged mode).

You can see the problem also in the status of rsyslogd:

Jan 27 07:26:18 srv-npm systemd[1]: Starting System Logging Service...
Jan 27 07:26:18 srv-npm systemd[1]: Started System Logging Service.
Jan 27 07:26:18 srv-npm rsyslogd[561]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2102.0]
Jan 27 07:26:18 srv-npm rsyslogd[561]: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
Jan 27 07:26:18 srv-npm rsyslogd[561]: activation of module imklog failed [v8.2102.0 try https://www.rsyslog.com/e/2145 ]

I can not find a lot about this "problem" in the www. Now I am wondering which solution I can use?

First idea: Running the NPM Container in privileged mode, but having a bad feeling about security.

Second idea: Set up a fully featured VM instead of the LXC-Container, but will this be more secure than running the container in privileged mode, or is it the same?

Third idea (and this is not attached to the question):
Setting up a pfsense-vm in proxmox (just to have more control about the connections (also concerning visibility = whats going on on the net). To be honest, I am unsure how this works with only 2 nics. (I would have to reconfigure my whole network).

My main-concern is the decision between idea 1 and idea 2.

Some hints are very welcome!

Thanks a lot!

 

[Chris]

Hi,
setting up a VM instead of the LXC container is not only more secure, it gives you also further isolation from the host. The downside is increased resource usage as compared to a lightweight container.

The physical NIC limitation does not really apply, as you can always create a virtual network device and connect that to a Linux bridge on the Proxmox host.

 

[mcdaniels]

Hi,
setting up a VM instead of the LXC container is not only more secure, it gives you also further isolation from the host. The downside is increased resource usage as compared to a lightweight container.

The physical NIC limitation does not really apply, as you can always create a virtual network device and connect that to a Linux bridge on the Proxmox host.

Hi, thanks for your answer. So it would be a good idea to set up the NPM in a VM, cause it is directly facing to the net. (security).

Well, this would also solve my ufw "problem".

concerning the NIC limitation. I did such things in ESXI, but I have to have a deeper look into how this works with proxmox. Technically it seems to be the same.

 

[Chris]

So it would be a good idea to set up the NPM in a VM, cause it is directly facing to the net. (security).

Hmm, that is not what i commented earlier. I just stated that a VM provides a more strict isolation than a container. If the service you run within that VM is trustworthy enough to run it internet facing is another topic.

 

[mcdaniels]

Hmm, that is not what i commented earlier. I just stated that a VM provides a more strict isolation than a container. If the service you run within that VM is trustworthy enough to run it internet facing is another topic.

let me be more specific: It would be a better idea to use a vm for this than a container, cause of the better isolation of the vm (to the pve-host).