Is it possible to turn existing, running, privileged container into non-privileged without recreating it (it could be stopped for a while)?
This container is privileged because it requires an access to Unix sockets and after turning it into non-privileged I would still need to be able to access those sockets.
If using LXD, all you need to do is set security.privileged=false
and then restart the container to have LXD remap it.
We use lxc cli to create those containers so I assume it is LXD.
What about the access to Unix sockets from this unprivileged container ? Will it work ?
Depends on the permission on the unix socket. If it doesn’t you can either tweak the permissions on the socket to be more permissive or you can use a proxy
device in LXD which allows for forwarding between unix sockets and can run with whatever user/group you want on the host or container side (obviously comes with a bit of performance overheat as the traffic needs to be forwarded).
Thanks @stgraber ! This is really useful ! Where can I read about setting up and configuring the proxy ?