LXC containers
Sort of Linux virtual host without virtualization.
LXC containers use the host Linux kernel.
But they use other namespaces for isolation.
Processes.
Network.
Mount.
An LXC container is a small Linux distribution that boots on top of a running kernel, and has an API to be controlled from host applications.
Privileged and unprivileged
Privileged
When the containers’ UID 0 is mapped to the host’s UID 0.
Protection of container’s abuses relies on the proper tuning of extra protections on the host’s kernel.
AppArmor, SELinux, capabilities, etc.
Unprivileged
When the containers’ UID 0 is mapped to a host’s UID different from 0.
Processes escaping from the containers’ sandboxing will have no special privileges in the host.
Last updated