X-Original-To: alpine-user@lists.alpinelinux.org
Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66])
	by lists.alpinelinux.org (Postfix) with ESMTP id 13F67F831A7
	for <alpine-user@lists.alpinelinux.org>; Sun, 16 Jun 2019 15:34:12 +0000 (UTC)
Received: by mail-ed1-f66.google.com with SMTP id w13so12004456eds.4
        for <alpine-user@lists.alpinelinux.org>; Sun, 16 Jun 2019 08:34:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=JnlSRmu/fbQcq/62w7QfBpQzuMPRQlqDevQD3IjNLc0=;
        b=llmdlI4LpZMePvYw0bndO7u3r2iNVeNmrs7GH6PDI/ovHZr1BWpGeKRmcbqZfWJVx9
         W4eWvs07UbXNMYBOjkfHPJoUJFxCp3hxPiXXMKGFM7AUmQczCDWqkfB9NYJbMFbhT7ss
         zrrcUGnlCJGiP6ICuGkp3Zo/oYkQe+XBWwuwf9qBnykP9AV8snhMThGY5P6FS/tCgrgb
         gb3Vc6yq4LdKVOe+MLcLhGOEpySiY1BnmmQCEu3cJxXn98VuHUTEEooHQoXsPQOJ2phZ
         VpWzrjOagO93TzNXyli9QSotZUA6Uw+qzRXyr1dgNrRQ1w//SioBuToN+qVmDNfK35b2
         Carw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=JnlSRmu/fbQcq/62w7QfBpQzuMPRQlqDevQD3IjNLc0=;
        b=lz5CZ3dpMtdNvBCSARt3jm/EUvd5M16k6byOCClNUZ3T8FOK/1Y2BAGpU/7mGe66Xh
         uh3rFFU+sBZOKPd3FPGNuenwovsnNAAT2mJCFSD9r0fokcoAx2fUS/LpLCfjWrMaAjco
         PkEL/cYCymKkFVp6t+uLRj1vmC2nBsFoZeCt/WYtQ3oudKJqBv/7/iMORKdKFzrk+Gj/
         YNTC5jaS0tydakCM612Zloczd3zjCR0wAbMUEuKBjCe/Uy7D+5cdYA/TVeSvqth5mPmq
         Hv253Hjm93ojJGyH8kEOo2e4eh7kOCMOVnEIBCsucJRfP1ql+9OmbAwpbK/dyEu/tkvJ
         yOqQ==
X-Gm-Message-State: APjAAAW/mI9lA+IQqsn9BzLghrOuFPahn2aHrTUu+Dv8aN1APHwSaPHc
	MJaE8Yo+wq9W04I52nk13r+Xbmvn
X-Google-Smtp-Source: APXvYqwsmvnLkGARKbPb169qeT7h/SGNb3biN6+zGua4TwklRJBW44ZO+NTntRxDJQ7voFd12OGmhg==
X-Received: by 2002:a50:cb04:: with SMTP id g4mr102213280edi.181.1560699251348;
        Sun, 16 Jun 2019 08:34:11 -0700 (PDT)
Received: from homepc.locald00dz (ipservice-092-218-223-215.092.218.pools.vodafone-ip.de. [92.218.223.215])
        by smtp.gmail.com with ESMTPSA id w14sm686301eda.69.2019.06.16.08.34.09
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 16 Jun 2019 08:34:10 -0700 (PDT)
Date: Sun, 16 Jun 2019 17:34:09 +0200
From: Daniel Kulesz <daniel.ina1@googlemail.com>
To: Chloe Kudryavtsev <toast@toastin.space>
Cc: alpine-user@lists.alpinelinux.org
Subject: Re: [alpine-user] liblxc segfaults when trying to start
 unprivileged container
Message-Id: <20190616173409.0a99d8d8aa40165b1e1eec1d@googlemail.com>
In-Reply-To: <d8dcca4f-4cb0-ee45-31b0-d497907a016f@toastin.space>
References: <20190304235659.b64e6019003b26b4edcb2a67@googlemail.com>
	<988908273.7812074.1553849007859@mail.yahoo.com>
	<d8dcca4f-4cb0-ee45-31b0-d497907a016f@toastin.space>
X-Mailer: Daniel's homebrew MUA 0.0.1-early-pre-alpha
X-Mailinglist: alpine-user
Precedence: list
List-Id: Alpine Development <alpine-user.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-user+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-user@lists.alpinelinux.org>
List-Help: <mailto:alpine-user+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-user+subscribe@lists.alpinelinux.org?subject=subscribe>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi Chloe,

thank you for pointing this out (and sorry for taking so long to thank and answer you)! It seems there are various opinions whether enabling this option is insecure or not:

https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do

Would you argue that running unprivileged containers as root is more secure than enabling this option and running unprivileged containers as non-root?

Cheers, Daniel


P.S.
I found a promising tutorial for running unprivileged containers as root:

https://blog.benoitblanchon.fr/lxc-unprivileged-container/


On Fri, 29 Mar 2019 13:21:21 -0400
Chloe Kudryavtsev <toast@toastin.space> wrote:

> On 3/29/2019 4:43 AM, paul gauret wrote:
> > in my case doing everything with root.
> >> Privileged containers work just fine.
> 
> We're missing kernel.unprivileged_userns_clone for whatever reason.
> You have to enable that to run things as non-root (which I suspect 
> you're trying to do).
> 
> Spun up a VM to test: unprivileged containers are just fine as root, but 
> not as a user (in the latter case you get a segfault - likely because an 
> unprivileged user is trying to userns clone without having the right to :) )
> 
> I suppose the question now becomes "why are we missing that option".
> 
> In the interim, feel free to have root-owned unprivileged containers 
> (you can give root subuids just like everywhere else, and everything 
> ends up running as UID 100000 or whatever you use).
> 
> 
> ---
> Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
> Help:         alpine-user+help@lists.alpinelinux.org
> ---
> 




---
Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
Help:         alpine-user+help@lists.alpinelinux.org
---