Run docker in lxc is secure?

lxd

(ali) #1

Hi
I can run docker containers in lxc with following lxc config:
lxc.apparmor.profile: unconfined
Is it secure or not?
I want use this for many users that want to work with docker in their lxc vm.


(Stéphane Graber) #2

Assuming the container is also privileged (which it likely is in this case), no, it’s not safe.
Privileged containers without apparmor enabled make it easy for a user inside the container to escape to the host.

It’s no worse than running Docker directly on the host with your users having administrative access to the host, but if your goal is to separate your various users in a way where they can’t harm each another or the host, privileged containers without apparmor will not achieve this.


(ali) #3

Can we say, there is not a secure way to run docker inside lxc ?


(Trystan) #4

Unprivileged container, overylay storage backend for docker, security.nesting=true

That’s the secure way. This whole myth of docker not functioning well or securely in LXD/LXC needs to go away.


(Aleks Dejota) #5

@trystan First person with the RIGHT knowledge… thanks

Just to extend the response:

  1. Add “aufs” or “overlay” (or both) to /etc/modules-load.d/modules.conf in your PVE host and reboot. Check it with lsmod | grep -E 'overlay|aufs'
  2. Use a LXC image with unprivilege features (you can check them here)
  3. Create the container with unprivilege option, and “keyctl=1, nesting=1” features (Options section in proxmox).
  4. Maybe you would want to mount an external point into /var/lib/docker (Resources section in proxmox)
  5. Check this link to change your storage-driver in docker to use aufs or overlay2.
  6. Voilá…

P.S: now people please keep worring about having docker inside LXC or even in the PVE host, but now worried at all having docker in a bare production host … thats cool