Privileged and unprivileged containers

Hello,

I’m new to containers and I need an advice about privileged vs unprivileged:

  1. Privileged containers.
    Very easy to create and run, but every turorial I’ve read claims they’re super unsafe and you should never use them.

  2. Unprivileged containers as an unprivileged user.
    I’ve run into a lot of issues with this type of containers, it took me two days to make a working container as an unprivileged user in ALT Linux.
    Plus, it requires enabling unprivileged user namespaces in the kernel which isn’t safe according to some articles.

  3. Unprivileged containers as root.
    This seems the best way to make containers, it’s easy and doesn’t require unprivileged user namespaces.

I’m thinking of going the 3rd way but I’m not sure how safe are unprivileged containers run as root.

The third option is what LXD uses by default. LXD runs as root and then spawns containers running as unprivileged users via liblxc.

Doesn’t seem to be option 3 then.

BTW I’m uncertain unprivileged containers as root don’t actually need user namespaces.

Latest LSS on the matter, the conclusion was unprivileged is the safest way to go as far as I remember.

LXD uses unprivileged containers (user namespace) with the setup done by the root user. The resulting namespaces and setup is identical to what you’d get with option 2 except that this allows us to perform setup steps that only a privileged user can do (mount disks/partitions, setup network devices, allocate more complex mappings for the user namespace, …).

When talking of LSS, I’m guess you’re thinking of the talk that @brauner and myself gave at a recent edition? If so, we indeed tend to practice what we preach :wink:

1 Like

Yep, I was referring to this very talk.

Thanks btw for giving it, it helped me to defend my case @ work. :slight_smile:

Thanks for the answers, one more question: what does unprivileged_userns_clone do? Does it allow user namespaces for non-root users?

Indeed it does and as far as I know is a distro patch mostly present in Debian and its derivatives. It’s not an upstream sysctl.