search

canonical / lxd

Powerful system container and virtual machine manager
https://canonical.com/lxd
GNU Affero General Public License v3.0
4.32k stars 927 forks source link

Enable `security.nesting` by default for unprivileged containers and modern enough images #13631

Open mihalicyn opened 3 months ago

mihalicyn commented 3 months ago

I believe we have no choice and should set security.nesting=true (unprivileged case only) for modern enough images (e.g. starting from Oracular [1]). This depends on a systemd version, not really a distro-specific thing.

For privileged containers, problem even more serious [2] as these days Noble doesn't work in a privileged container. And only works with nesting enabled which makes a container escapable.

See also: [1] https://github.com/canonical/lxd/pull/12698 [2] https://github.com/canonical/lxd/issues/12967

simondeziel commented 3 months ago

I believe we have no choice and should set security.nesting=true (unprivileged case only) for modern enough images.

From a security point of view, is it more dangerous to have nesting enabled if the (unprivileged) container is Jammy or Oracular?

If the answer is no, I think we should discuss whether we always enable security.nesting for unprivileged containers as even Noble and earlier releases have diverse issues with systemd units using namespace features.

tomponline commented 2 months ago

Seems relevant https://github.com/lxc/incus/pull/650