@ -543,11 +543,61 @@ Now exit root shell (just with `exit`), and try `lxc-console -n CONTAINERNAME`.
You should be able to log in using the new username and password.
You should be able to log in using the new username and password.
(To exit lxc console, use Ctrl+A, Q)
(To exit lxc console, use Ctrl+A, Q)
### Alternatively: unprivileged LXC using LXD
#### Security notes
Note that with LXD, unprivileged containers run under root, which is not supposed to give them any extra privileges
(source: https://discuss.linuxcontainers.org/t/privileged-and-unprivileged-containers/12060/2), but this implies that:
Containers can only be managed with LXD using root access.
Which means either `doas` for every command (including connecting to the container shell),
or adding your user to the `lxd` group which will have access to LXD daemon,
**which will effectively give your user passwordless sudo (since access to LXD daemon can trivially be used to gain root privileges),
so that any process running under your user can trivially gain root privileges on the host**
(which is for some reason not considered by LXD maintainers to be a problem).
**DO NOT add your user to the `lxd` group, and DO NOT uncomment ` --group lxd` in `/etc/conf.d/lxd`**
Instead the secure way of doing things would probably be to only use lxd as a root,
and connect to the container using ssh.
#### Containers support
As simple as
```
apk add lxd lxd-client lxcfs dbus
rc-update add lxc
rc-update add lxd
rc-update add lxcfs
rc-update add dbus
doas reboot
```
Networking with routing should work automatically.
#### Creating container
```
doas lxc launch images:alpine/edge -c security.nesting=true -c security.privileged=false test-alpine-container
doas lxc exec test-alpine-container -- /bin/ash
```
Networking should work inside of container.
### Docker
### Docker
(inside LXC)
#### (inside LXC)
TODO once nesting in LXC works (reference: https://discuss.linuxcontainers.org/t/lxc-on-alpine-host-sys-fs-cgroup-is-not-mounted-into-unprivileged-alpine-guest/15026/1)