New plan
I sent a previous version of this to a friend to spare myself the need to explain to him what to do, and he found the tutorial confusing ! instead of the old arrangement, having colors to denote what lines are for what task, I have decided to SEPARATE THIS INTO FOUR PARTS….
1- LXC info
2- Shared system setup
3- Privilaged LXC step by step
4- Unprivilaged LXC run by new user step by step
5- Unprivilaged LXC run by root user step by step
I hope this clears things up, the color codes will still exist, mostly because I have already done the work !
Legend
Blue = Common (Both privileged and unprivileged
RED = Privileged containers (Less secure)
Green = Unprivileged containers (More secure)
Following Blue and Red instructions will end up with privileged containers (BAD), following Blue and Green will end up with unprivileged containers (Good).
How to read
If you know what you want, and are only interested in the guide, scroll down to Step 1 of the section you need, if i were in your shoes I would at least read all the titles before getting to Step 1 and see if there is anything interesting before I start
This post has a hands on tutorial for running unprivileged LXC containers, a step by step LXC guide so to speak, but before i get down to the steps, I decided to include all the things you might need to know about LXC and LXD, So if you know what you are looking for, Scroll down to the “Step by step guide”, make sure you took a look at the COLOR LEGEND
Why yet another tutorial ?
Most of the tutorials online focus on creating an extra user to use with LXC, that is one way to do it with a few drawbacks, the other way is to create a range of subordinate IDs for the root user, the advantages of this way of doing it are related to “Autostart” and filesystem sharing between host and guest.
As per usual, the primary goal of every post on this blog is my own reference, the internet is full of misleading and inaccurate stuff, and when i come back to a similar situation, I don’t want to do the research all over again
Privileged VS unprivileged
Privileged containers are generally unsafe, the only advantage of privileged containers is that is is very easy to setup.
Privileged containers share the same root user with the host, so if the container root user gets compromised, the attacker can sneak into the host system, hence, unprivileged is more secure but involves some work initially to setup
What is the problem with Privileged containers
It is relatively easy to deploy LXC (Which also happens to be what is powering LXD)… You install it, run a command to create a container, and voila, a whole new Linux system within your host Linux system sharing the same kernel as the host… But there is one caveat, if a malicious user/application compromises your container, he/she would have also compromised the host machine automatically, how, the root user on both is the same user !
The solution, unprivileged containers
In comes Unprivileged containers, in this setup, we simply either map a User ID to root within the container, or, still use root, but through subordinate IDs, so instead of having the Host’s user id for root (Usually Zero) being also root inside the container, we create a user outside the container (Or a subordinate ID of root), and instruct the kernel to map this user’s ID and treat it as ID zero inside the container, So if a malicious user gets access to the container and ends up breaking out of the container, they will find themselves logged on as a different user, with privileges very close to the privileges of the user nobody, or in other words, barely any privileges
nuff with the theory, What do i need to do ?
You setup LXC, then depending on the type of container and user you need, you may want to setup Linux kernel to use that user as root in the container, but to make that happen, you will need to take a few steps to give that user the required privileges and nothing more than what is required, nothing complicated about those steps either. So let us get started
Scenario 1- LXC, privileged, no complications, but low security
To clarify, making a privileged container does not stop you from making unprivileged containers later, BUT, the unprivileged containers need to be different containers 😉 so you might make a privileged one, then replace it with an unprivileged one
Step 1: Install LXC !
Enable Unprivileged User Namespaces
it is enabled by default, To make sure that it is, run the command below, if it returns “kernel.unprivileged_userns_clone = 1” you are good to go.
sysctl kernel.unprivileged_userns_clone
if for any reason it is not enabled (0), you can enable it by adding it to /etc/sysctl.d…. by editing the file “/etc/sysctl.d/00-local-userns.conf” and adding the following line, if the file does not exist, create it
kernel.unprivileged_userns_clone=1
Once done, run the command
service procps restart
Create the user
You can call the user whatever you want, I chose to call the user lxcadmin, this is an arbitrary choice, To create a user we issue the following command.
Configure AppArmor
App Armor is enabled on Debian 10 (buster) and after by default, AppArmor is recommended as it adds a layer of security which may prove vital for a system running your virtual machines.
to check whether it is enabled on your system or not, you can run the following command
cat /sys/module/apparmor/parameters/enabled
If the above returns the letter Y, AppArmor is enabled, and you need to set it up to allow for our unprivileged setup