I saw the note in NixOS manual (NixOS 23.11 manual | Nix & NixOS):
Warning: Currently, NixOS containers are not perfectly isolated from the host system. This means that a user with root access to the container can do things that affect the host. So you should not give container root access to untrusted users.
Is there any detail why there’s that limitation and if currently someone is working on that.
The reason for this is that it uses systemd-nspawn and at the time the implementation was written there was no support for user namespaces. Nowadays however we could add support for that…
Nowadays however we could add support for that…
I guess that would be a great feature and would eliminate some use cases where docker or lxc or lxd is used today.
Just found a PR that does exactly that:
https://github.com/NixOS/nixpkgs/pull/28425
Until it is merged (once the issues are resolved), you could add -U to extraFlags on a per-case basis.
Thanks for clearification!
It had to be reverted for now, unfortunately. The new PR is here: [WIP] nixos/containers: add unprivileged option by uvNikita · Pull Request #67336 · NixOS/nixpkgs · GitHub
The consensus seems to be that containers in general do not add any extra security. Be it Docker/lxc/nspawn. Do not use containers to add security. Use VMs
The consensus seems to be that containers in general do not add any extra security. Be it Docker/lxc/nspawn. Do not use containers to add security. Use VMs
Saying they never add any extra security is an overstatement. Of course there has been a security problem where root-in-container was not enough to exploit but root-in-VM was sufficient… But on average VMs are probably safer.
Root-in-vm was sufficient.
Can you link please? You have added layer of security- breaking out of a hypervisor is a barrier too