Nfs-kernel-server inside a lxd container


I’m a happy lxd user, thank you for all the awesome work. We’ve migrated 90% of our stuff into containers with great results and one of the things left to do is to move our local nfs server. I found this bug detailing how to get that going, however I wanted to verify if the expectation is that everything will work as it would on a bare host. Is that the case? I’m not quite clear on the details of privileged Vs unprivileged (while not mentioned in the bug, it seems indeed n-k-s requires a privileged container, which makes sense) and wondering if in some use cases functionalities could break.

I would appreciate any detail on the implication of running this container unprivileged and with nfs-kernel-server - for example my expectation is that if the container/nfs was to lock-up somehow it would take down the host/all containers since the kernel space is shared. Is that the case?

Also I’m not quite clear on the implications of running a privileged container - I get that root inside becomes the same root on the host, but does that mean that container will have access to resources/mount points on the host or other containers, or it “just” means that in the case of a breach access to the host will be as root?



I’ve not tried this in a while but I would indeed expect the nfs-kernel-server to work from inside a privileged container. There are obvious security issues with doing so though. Should someone gain root in that container through a bug in any of the software you’re running, they will (provided they know how) be able to gain full root over the entire host.

As far as functionality, I wouldn’t expect the NFS server to behave any differently than on a host. I would however expect that you’ll be limited to running one of those per host as I don’t believe any of the kernel code is namespace aware and so running multiple servers in different containers will likely run you into some issues.

As far as what’s visible to a privileged container vs an unprivileged container, it’s pretty much all the same. A privileged container doesn’t directly see any more host resources, but due to its privileged nature, it may be able to escape confinement at which point the entire host would become visible to the attacker.

thanks Stéphane, that makes sense. Thanks for pointing out the multiple-nfs-server issue, I hadn’t thought of it and while it’s not a problem right now it’s good to keep in mind.