I’m new to containers and I need an advice about privileged vs unprivileged:
Privileged containers.
Very easy to create and run, but every turorial I’ve read claims they’re super unsafe and you should never use them.
Unprivileged containers as an unprivileged user.
I’ve run into a lot of issues with this type of containers, it took me two days to make a working container as an unprivileged user in ALT Linux.
Plus, it requires enabling unprivileged user namespaces in the kernel which isn’t safe according to some articles.
Unprivileged containers as root.
This seems the best way to make containers, it’s easy and doesn’t require unprivileged user namespaces.
I’m thinking of going the 3rd way but I’m not sure how safe are unprivileged containers run as root.
LXD uses unprivileged containers (user namespace) with the setup done by the root user. The resulting namespaces and setup is identical to what you’d get with option 2 except that this allows us to perform setup steps that only a privileged user can do (mount disks/partitions, setup network devices, allocate more complex mappings for the user namespace, …).
When talking of LSS, I’m guess you’re thinking of the talk that @brauner and myself gave at a recent edition? If so, we indeed tend to practice what we preach