Hi folks,
I’m running 4.16 in the lab, and the 4.0 LTS in production, and I can’t find a reasonable way to do this on either of them. It seems you used to be able to just remount /proc with hidepid={1,2} but at least with the stock Ubuntu (minimal or otherwise) images this doesn’t work (proc is mounted read-only, so remount doesn’t work, nor does putting it in /etc/fstab).
The only ways we’ve found to make it work on modern LXD is:
-
security.nesting=True- this is unpalatable for security reasons, the trade-off of this in exchange for hidepid isn’t a good one. I also don’t 100% understand the mechanism by which it allows it, I’m guessing it’s something to do with changing the way mounts are handled so that an LXD can run in an LXD container? - Adding a bunch of lines to
raw.lxcto clobber the mount for /proc when LXC spawns it with the mount options we want.
The latter works, but in production we tend to sit on a stable version of LXD for a long time, and then where possible like to maintain the ability to transfer containers between the two versions while we transition everything to the new version. In the past, raw.lxc has caused us grief here, when a configuration key is deprecated and no longer supported in a newer version, the container move fails for non-obvious reasons.
So it’d be nice - but definitely not urgent/required - to have a configuration key for enabling hidepid on a supported container (obviously it would be unsupported in VMs, I’d think?), where LXD handles it for us?
Thoughts?