diff --git a/doc/.wordlist.txt b/doc/.wordlist.txt index 5349045b2298..22d2c8d1ba69 100644 --- a/doc/.wordlist.txt +++ b/doc/.wordlist.txt @@ -168,7 +168,7 @@ OpenSUSE OSD overcommit overcommitting -overlayfs +OverlayFS OVMF OVN OVS diff --git a/doc/faq.md b/doc/faq.md index 8e723b4dc043..59466e35056b 100644 --- a/doc/faq.md +++ b/doc/faq.md @@ -57,10 +57,13 @@ But that's also the cause of most of the security issues with such privileged co ```{youtube} https://www.youtube.com/watch?v=_fCSSEyiGro ``` -To run Docker inside a LXD container, set the {config:option}`instance-security:security.nesting` property of the container to `true`: +To run Docker inside a LXD container, set the {config:option}`instance-security:security.nesting` option of the container to `true`: lxc config set security.nesting true +If you plan to use the OverlayFS storage driver in Docker, you should also set the {config:option}`instance-security:security.syscalls.intercept.mknod` and {config:option}`instance-security:security.syscalls.intercept.setxattr` options to `true`. +See [`mknod` / `mknodat`](syscall-mknod) and [`setxattr`](syscall-setxattr) for more information. + Note that LXD containers cannot load kernel modules, so depending on your Docker configuration, you might need to have extra kernel modules loaded by the host. You can do so by setting a comma-separated list of kernel modules that your container needs: diff --git a/doc/syscall-interception.md b/doc/syscall-interception.md index 352dbfaf8a1b..2a7c3aa189ba 100644 --- a/doc/syscall-interception.md +++ b/doc/syscall-interception.md @@ -13,6 +13,7 @@ per-container basis through container configuration options. ## Available system calls +(syscall-mknod)= ### `mknod` / `mknodat` The `mknod` and `mknodat` system calls can be used to create a variety of special files. @@ -28,7 +29,7 @@ inside an unprivileged containers. The devices which are currently allowed are: -- overlayfs whiteout (char 0:0) +- OverlayFS whiteout (char 0:0) - `/dev/console` (char 5:1) - `/dev/full` (char 1:7) - `/dev/null` (char 1:3) @@ -102,13 +103,14 @@ considered to be flawed and can significantly impact overall system stability. This is why under normal conditions, only the real root user (or global `CAP_SYS_NICE`) would allow its use. +(syscall-setxattr)= ### `setxattr` The `setxattr` system call is used to set extended attributes on files. The attributes which are handled by this currently are: -- `trusted.overlay.opaque` (overlayfs directory whiteout) +- `trusted.overlay.opaque` (OverlayFS directory whiteout) Note that because the mediation must happen on a number of character strings, there is no easy way at present to only intercept the few