I am looking for some more detailed documentation of LXC Containers then the one available at https://linuxcontainers.org/#LXC
I know more or less how to create a container and start a process inside it but at some point I realized that I do not know how does this magic is working at all.
I know that the source code is the best documentation but I am looking for something simpler…
For instance:
I would like to know what processes are involved while a process is started inside the container?
How a UID from a container is mapped to UID outside the container are what are the consequences of that?
Is it risky to have a process in a container with some capabilities (or “root” process)
What are namespaces/cgroups and what is it’s role in a context of lxc containers?
There are different types of documentation. The one you get at the LXC project is reference documentation.
Your question on namespaces and cgroups should be answered at the Linux kernel documentation, as these are generic Linux security primitives. There are also blog posts that explain them in practical terms.
I am on mobile now; there are blog posts that explain how to DoItYourself create Linux containers using only those Linux kernel security primitives. They show the minimal code that make this all work. I suggest to look for that.
In unprivileged containers, the init of the container image is spawned and there is no turning back to the process that created the container. The process tree of the container will either terminate itself or get terminated by LXD.
A container gets separate UIDs from the host, further separating it. Within the container, it looks as if it uses the range 0-65535.