1. good ref
For those that don't know.
Privileged containers: container uid 0 is mapped to the host's uid 0.
Unprivileged containers: container uid 0 is mapped to an unprivileged user on the host.
Unprivileged should be chosen unless you need a privileged container.
My thoughts: I haven't had a need for a privileged container. I can't think of a reason to use one. Maybe if I needed something that needed to access some hardware that couldn't be mapped to an unprivileged container?
2. you can see chinese discuss
Privileged Containers
Security is done by dropping capabilities, using mandatory access control (AppArmor), SecComp filters and namespaces. The LXC team considers this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. So you should use this kind of containers only inside a trusted environment, or when no untrusted task is running as root in the container.
中文大意:這模式比較不安全它用 AppArmor 來管控,建議你只能在內網或比較安全的環境來跑這模式,或比較沒有安全顧慮的工作來跑它
沒有留言:
張貼留言