Docker in lxd 3


(ali) #1

Hi
Is docker unsecure yet in lxd version 3 ?


#2

I do not understand what you are trying to say.


(ali) #3

I mean, is it secure to run docker in lxd or similar to lxc I can’t do this in a secure way.

This is a rule that docker can not be launched in the container in a secure way?


#4

I just did the following in a Ubuntu 18.04.1 LXD container (LXD 3.7).

ubuntu@docker:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.1 LTS
Release:	18.04
Codename:	bionic
ubuntu@docker:~$ sudo docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
d1725b59e92d: Pull complete 
Digest: sha256:0add3ace90ecb4adbf7777e9aacf18357296e799f81cabc9fde470971e499788
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

ubuntu@docker:~$ 

In terms of security, I used the security.nesting flag which is OK.
I did not have to use the security.privileged flag.

If you are doing things in a different way, please write exactly what you are doing.


(ali) #5

Thank you
Is this way secure?
root user in lxd container can come to host easily?


(Stéphane Graber) #6

root in an unprivileged LXD container (default) cannot escape the container unless some very bad kernel security issue is found, and should that happen, will have as much right as the nobody user on the host.

That’s the reason we implemented user namespaces in the first place :slight_smile:


(ali) #7

@stgraber thank you for your response.

So, can I give to my users, lxd containers with security.nesting=true ?


(Stéphane Graber) #8

So long as you don’t also set security.privileged=true, yes, that’s perfectly safe to do.

Note that in a shared environment, I’d recommend using security.idmap.isolated=true too as a way to avoid accidental DoS from one container to another by running out of some kernel limits.


#9

A rough rule of thumb goes like this:

  1. security.privileged: the container that has this flag, might attack the host.
  2. security.nesting: the container that has this flag, might be attacked from nested containers inside it (either LXD containers or Docker containers). The host is unaffected.