Fabio Tudone (fabio@paralleluniverse.co)
2015-09-30 10:30:00 UTC
Hi,
instead of creating "regular" LXC unprivileged containers where all the
users are mapped to (unprivileged) subuid/gid of my host user, I'm
considering a mapping where my host user itself will be mapped to user 0
(root). They'd be very slim single-app containers.
The reason is that in this way I don't need the rootfs directory
subtree, which resides in my user's home, to be namespace-|chmod|to a
different user and I can delete it with a plain|rm|instead of a
namespace one.
Is this kind of LXC less secure than the "regular" one, and why is it?
What could happen in the worst case?
Thanks,
-- Fabio
instead of creating "regular" LXC unprivileged containers where all the
users are mapped to (unprivileged) subuid/gid of my host user, I'm
considering a mapping where my host user itself will be mapped to user 0
(root). They'd be very slim single-app containers.
The reason is that in this way I don't need the rootfs directory
subtree, which resides in my user's home, to be namespace-|chmod|to a
different user and I can delete it with a plain|rm|instead of a
namespace one.
Is this kind of LXC less secure than the "regular" one, and why is it?
What could happen in the worst case?
Thanks,
-- Fabio