@x_cli One question about the proper use of containers (*not* VM, only containers). Is it reasonable to give root access in a container to someone who is not root on the host? I always thought the answer was No and this is how I manage containers. The report mention "public cloud service". Are there services where tenants have root access to a container?


Unfortunately many use cases require some kind of privileges inside the container, starting with privilege drop itself when running a daemon that requires different levels of privilege for listening on a port, writing to logs or serving requests.

User namespaces offer useful features and can hopefully be combined with fine-tuned caps and seccomp to "safely" offer "root" inside the container.

@kaiyou @x_cli My point was not "we shoud not give root access inside the container" but "we should not give root access to someone who is not already root" (I use containers, but not in a multi-tenant configuration).

@x_cli We should obviously not. But services who rent containers as full-featured "VPS" want their tenant to be able to run.. Apache for instance. This either requires to fine-tune a user namespace and capability assignment so that the container can have a namespaced root user, listen on a privileged port, then setuid to a less privileged user ; or to provide basic unrestricted root access in the container. Guess what happens most of the time :)

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!