Is docker unsecure yet in lxd version 3 ?
I do not understand what you are trying to say.
I mean, is it secure to run docker in lxd or similar to lxc I can’t do this in a secure way.
This is a rule that docker can not be launched in the container in a secure way?
I just did the following in a Ubuntu 18.04.1 LXD container (LXD 3.7).
ubuntu@docker:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.1 LTS Release: 18.04 Codename: bionic ubuntu@docker:~$ sudo docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world d1725b59e92d: Pull complete Digest: sha256:0add3ace90ecb4adbf7777e9aacf18357296e799f81cabc9fde470971e499788 Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/ ubuntu@docker:~$
In terms of security, I used the
security.nesting flag which is OK.
I did not have to use the
If you are doing things in a different way, please write exactly what you are doing.
Is this way secure?
root user in lxd container can come to host easily?
root in an unprivileged LXD container (default) cannot escape the container unless some very bad kernel security issue is found, and should that happen, will have as much right as the
nobody user on the host.
That’s the reason we implemented user namespaces in the first place
@stgraber thank you for your response.
So, can I give to my users, lxd containers with security.nesting=true ?
So long as you don’t also set security.privileged=true, yes, that’s perfectly safe to do.
Note that in a shared environment, I’d recommend using security.idmap.isolated=true too as a way to avoid accidental DoS from one container to another by running out of some kernel limits.
A rough rule of thumb goes like this:
- security.privileged: the container that has this flag, might attack the host.
- security.nesting: the container that has this flag, might be attacked from nested containers inside it (either LXD containers or Docker containers). The host is unaffected.