Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: additional options recommended for running Docker #12833

Merged
merged 1 commit into from
Feb 7, 2024
Merged

doc: additional options recommended for running Docker #12833

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion doc/.wordlist.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ OpenSUSE
OSD
overcommit
overcommitting
overlayfs
OverlayFS
OVMF
OVN
OVS
Expand Down
5 changes: 4 additions & 1 deletion doc/faq.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,13 @@ But that's also the cause of most of the security issues with such privileged co
```{youtube} https://www.youtube.com/watch?v=_fCSSEyiGro
```

To run Docker inside a LXD container, set the {config:option}`instance-security:security.nesting` property of the container to `true`:
To run Docker inside a LXD container, set the {config:option}`instance-security:security.nesting` option of the container to `true`:

lxc config set <container> security.nesting true

If you plan to use the OverlayFS storage driver in Docker, you should also set the {config:option}`instance-security:security.syscalls.intercept.mknod` and {config:option}`instance-security:security.syscalls.intercept.setxattr` options to `true`.
See [`mknod` / `mknodat`](syscall-mknod) and [`setxattr`](syscall-setxattr) for more information.

Note that LXD containers cannot load kernel modules, so depending on your Docker configuration, you might need to have extra kernel modules loaded by the host.
You can do so by setting a comma-separated list of kernel modules that your container needs:

Expand Down
6 changes: 4 additions & 2 deletions doc/syscall-interception.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ per-container basis through container configuration options.

## Available system calls

(syscall-mknod)=
### `mknod` / `mknodat`

The `mknod` and `mknodat` system calls can be used to create a variety of special files.
Expand All @@ -28,7 +29,7 @@ inside an unprivileged containers.

The devices which are currently allowed are:

- overlayfs whiteout (char 0:0)
- OverlayFS whiteout (char 0:0)
- `/dev/console` (char 5:1)
- `/dev/full` (char 1:7)
- `/dev/null` (char 1:3)
Expand Down Expand Up @@ -102,13 +103,14 @@ considered to be flawed and can significantly impact overall system
stability. This is why under normal conditions, only the real root user
(or global `CAP_SYS_NICE`) would allow its use.

(syscall-setxattr)=
### `setxattr`

The `setxattr` system call is used to set extended attributes on files.

The attributes which are handled by this currently are:

- `trusted.overlay.opaque` (overlayfs directory whiteout)
- `trusted.overlay.opaque` (OverlayFS directory whiteout)

Note that because the mediation must happen on a number of character
strings, there is no easy way at present to only intercept the few
Expand Down
Loading