Run docker in lxc is secure?

alizowghi · June 5, 2018, 5:51pm

Hi
I can run docker containers in lxc with following lxc config:
lxc.apparmor.profile: unconfined
Is it secure or not?
I want use this for many users that want to work with docker in their lxc vm.

stgraber · June 5, 2018, 6:22pm

Assuming the container is also privileged (which it likely is in this case), no, it’s not safe.
Privileged containers without apparmor enabled make it easy for a user inside the container to escape to the host.

It’s no worse than running Docker directly on the host with your users having administrative access to the host, but if your goal is to separate your various users in a way where they can’t harm each another or the host, privileged containers without apparmor will not achieve this.

alizowghi · September 5, 2018, 10:49am

Can we say, there is not a secure way to run docker inside lxc ?

trystan · September 5, 2018, 11:56am

Unprivileged container, overylay storage backend for docker, security.nesting=true

That’s the secure way. This whole myth of docker not functioning well or securely in LXD/LXC needs to go away.

Aleks_Dejota · May 3, 2019, 10:43am

@trystan First person with the RIGHT knowledge… thanks

Just to extend the response:

Add “aufs” or “overlay” (or both) to /etc/modules-load.d/modules.conf in your PVE host and reboot. Check it with lsmod | grep -E 'overlay|aufs'
Use a LXC image with unprivilege features (you can check them here)
Create the container with unprivilege option, and “keyctl=1, nesting=1” features (Options section in proxmox).
Maybe you would want to mount an external point into /var/lib/docker (Resources section in proxmox)
Check this link to change your storage-driver in docker to use aufs or overlay2.
Voilá…

P.S: now people please keep worring about having docker inside LXC or even in the PVE host, but now worried at all having docker in a bare production host … thats cool

gjgroen · June 5, 2019, 11:46am

I’ve done all the steps in this post (including mounting an external point into /var/lib/docker) but Docker is failing.

‘overlay2’ is not supported over zfs"

Is there a work-around?

stgraber · June 5, 2019, 11:53am

On top of ZFS, your only real option I believe is to use the vfs storage backend in Docker.

gjgroen · June 5, 2019, 12:09pm

Thanks, but it might use a lot more disk space than I would like. I’ve heard numbers of 30 GB for a Bitwarden install.

And how about creating a zfs-dataset with a file system (ext4?), add it as storage in Proxmox, then mount that to container?

I think I might use a virtual machine (KVM) for Docker to be more flexibel.

stgraber · June 6, 2019, 12:10pm

Yeah, passing a disk device that’s ext4 and mounting this on top of Docker’s storage directory would then let you use overlay