lxc.mount.entry = /dev/net dev/net none bind,create=dirI expect that could still lead to attacks on tun devices if the unprivileged container is cracked. For the future I will have to look at Stephane's VPN container script. For now though, being able to run all my lxc containers unprivileged, and all as different users will be awesome in itself.
Saturday, November 28, 2015
openvpn in unprivileged lxc container
I've wanted to switch to using unprivileged lxc containers for a long time. There are issues with starting them when I'm not logged in (at boot), and similar issues if the user home directories are encrypted with ecryptfs or similar.
Some issues can be worked around, others will just have to be managed manually at restart (mounting ecryptfs filesystems).
One issue that I did have, starting openvpn in unprivileged containers, is pretty easily fixed with a bind mount.
In a mailing list post, Stephane Graber says:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment