Home / ubuntu / Questions / 746278
Accepted
WoJ
Asked: 2016-03-16 05:20:53 +0800 CST

How to check if an LXD container runs unprivileged?

  • 772

I am configuring my LXD containers to run unpriviledged as root.

How can I check that they indeed run as such?

Is it enough that ps -ef on the host shows that all processes running in containers follow the template 

165536    5284  1104  0 12:19 ?        00:00:00 /usr/sbin/sshd -D

(the first element is a uid)

or is there a lxc parameter which shows the "priviledge level" of a container?

lxc

3 Answers

  1. Best Answer

    yes, is enough that you see that your UID is different than root and other users in your host for the processes running in your container. (setuid/setgid mapping magic)

    • 3

  2. The page you linked to describes lxc not lxd. lxd is essentially a daemon process that provides access to lxc's features, in a higher-level/more-convenient way. I believe the answer for lxd is:

    $ lxc config get your-container-name security.privileged

    If that shows "true", then the container is privileged, else not.

    Per stgraber's post you can also query the set of privileged containers by running:

    $ lxc list security.privileged=true
    • 3

  3. It's also possible to check if a container is unprivileged from inside the LXD container by checking:

    • /proc/self/uid_map
    • /proc/self/gid_map

    where it will show something like (root 0 mapped to user 1000000):

    # cat /proc/self/gid_map 
         0    1000000 1000000000
# cat /proc/self/uid_map 
         0    1000000 1000000000

    (assuming /etc/subuid & /etc/subgid are correctly configured on the container host)

    These values can be read by root or an unprivileged user.

    • 1