lxd icon indicating copy to clipboard operation
lxd copied to clipboard
verified publisher icon canonical

Enable `security.nesting` by default for unprivileged containers and modern enough images

Open mihalicyn opened this issue 1 year ago • 2 comments

I believe we have no choice and should set security.nesting=true (unprivileged case only) for modern enough images (e.g. starting from Oracular [1]). This depends on a systemd version, not really a distro-specific thing.

For privileged containers, problem even more serious [2] as these days Noble doesn't work in a privileged container. And only works with nesting enabled which makes a container escapable.

See also: [1] https://github.com/canonical/lxd/pull/12698 [2] https://github.com/canonical/lxd/issues/12967

mihalicyn avatar Jun 17 '24 16:06 mihalicyn

I believe we have no choice and should set security.nesting=true (unprivileged case only) for modern enough images.

From a security point of view, is it more dangerous to have nesting enabled if the (unprivileged) container is Jammy or Oracular?

If the answer is no, I think we should discuss whether we always enable security.nesting for unprivileged containers as even Noble and earlier releases have diverse issues with systemd units using namespace features.

simondeziel avatar Jun 17 '24 16:06 simondeziel

Seems relevant https://github.com/lxc/incus/pull/650

tomponline avatar Jul 01 '24 10:07 tomponline

See also https://github.com/canonical/lxd/issues/13810 as Oracular containers can be launched on LXD 5.0.4, and LXD 5.21.2 onwards without needing security.nesting enabled.

tomponline avatar Dec 20 '24 11:12 tomponline