Differences

This shows you the differences between two versions of the page.

--- lxc:permissions [2021/01/03 15:52] – created peter
+++ lxc:permissions [2021/01/03 16:18] (current) – [Configure Unprivileged Containers] peter
@@ Line 1: / Line 1: @@
 ====== LXC - Permissions ======
+Ubuntu is also one of the few Linux distributions to come by default with everything that's needed for safe, unprivileged LXC containers.
+If using Ubuntu, it is recommended to use Ubuntu 18.04 LTS or higher as your container host.
+----
+===== Permissions =====
+Unprivileged containers are the safest containers.
+Those use a map of uid and gid to allocate a range of uids and gids to a container.
+That means that uid 0 (root) in the container is actually something like uid 100000 outside the container.
+So should something go very wrong and an attacker manages to escape the container, they'll find themselves with about as many rights as a nobody user.
+----
+==== Configure Unprivileged Containers ====
+Ensure your user has a uid and gid map defined in **/etc/subuid** and **/etc/subgid**.
+Check **/etc/subuid**.
+<file bash /etc/subuid>
+peter:100000:65536
+</file>
+and Check **/etc/subgid**.
+<file bash /etc/subgid>
+peter:100000:65536
+</file>
+<WRAP info>
+**NOTE:**  On Ubuntu systems, a default allocation of 65536 uids and gids is given to every new user on the system, so you should already have one.
+If not, you'll have to use **usermod** to give yourself one:
+<code bash>
+sudo usermod --append --groups lxd peter
+</code>
+or
+<code bash>
+sudo usermod -a -G lxd peter
+</code>
+By adding the non-root Unix user account to the lxd group, allows that user to run any lxc commands without prepending sudo.  Without this addition, you would have needed to prepend sudo to each lxc command.
+</WRAP>
+----