To support Docker in my unprivileged LXC container and avoid using the very inefficient “VFS” storage driver, I decided to use “fuse-overlayfs”.
To accomplish that I added the following config to my container:
#Required for Docker overlayfs #fuse-overlayfs package installed both on host and inside container lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
This setup works flawlessly, but how secure is it?
Is it any better than using overlay with “modprobe overlay permit_mounts_in_userns=1” on the host, which would allow an attacker in the container to gain host root privileges ? (https://lwn.net/Articles/671641/)