Analysis of Rootless Container

With the development of cloud computing, containers have become more and more popular, and at the same time new solutions for implementing containers have emerged, one of which is rootless containers. Unrooted containers are containers that can be created without root. Although rootless containers have advantages in terms of security, they are still being tested and developed. This article introduces the internal structure of rootless containers and analyzes the vulnerabilities in the network components of rootless containers.

Rootless container

Unrooted containers are the same as regular containers, except that they can be formed without root. Rootless containers are still in the early stages, and there are many reasons why rootless containers appear.

Add a new layer of security. If the container is attacked while it is running, the attacker will not be able to gain root privileges on the host.
Allow multiple unprivileged users to run the container on the same computer.
Allows isolation of nested containers.
A new development of the Linux kernel makes this scheme possible, allowing unprivileged users to create new user spaces. When a user creates and enters a new user space, he will become the root user of that space and get most of the privileges required to generate containers.

Internet connection

In order to allow networking of containers, a virtual Ethernet device (VETH) is usually created to be responsible for networking. But only root has the right to create such devices, and the main solutions are Slirp and LXC-user-nic.

(1) Slirp

Slirp was originally designed as an Internet connection for non-privileged users. Over time, it became a network stack for virtual machines and emulators (including the famous QEMU), which can be modified and adjusted to enable network connections in rootless containers. It separates the container user from the network name space and creates a default routing device. Then, it passes the device's files to the parent of the default network namespace so that it can communicate with the container and the Internet.



(2) LXC-User-Nic

Another method is to run setuid to create a VETH device. Although it can enable networking within the container, it requires the container file to run with root privileges.

Storage management

One of the complex elements of containers is storage management. By default, containers use Overlay2 (or Overlay) to create file systems, but rootless containers cannot do this. Most Linux does not allow overlay file systems to be installed in the user name space. The solution is to use other drivers, such as VFS storage drivers. Although effective but inefficient. A better solution is to create new storage drivers to adapt to the needs of rootless containers.

Compatibility status

The following container engines support rootless containers for the following components:



Safety analysis

From a security perspective, vulnerabilities in rootless containers or misconfigurations can cause damage to the software in the container. Software should always be run with limited privileges. When a vulnerability occurs, the impact will be minimized. LXE-user-nic has multiple vulnerabilities, attackers can use vulnerabilities to increase privileges, such as CVE-2017-5985 and CVE-2018-6556. Slirp has also disclosed multiple vulnerabilities in recent years.

Slirp – CVE-2020-1983:

When fuzzing the software, a vulnerability that could cause Slirp to crash was discovered. The vulnerability is assigned the number CVE-2020-1983.

This question is related to how Slirp manages IP fragmentation. The maximum size of an IP packet is 65,535 bytes. The error is that Slirp cannot verify the size of a segmented IP packet. It will crash when it segments a packet larger than 65,535.

Other vulnerabilities in libslirp can execute code on the container, and even escape from the container to the host and other containers. Two such vulnerabilities were discovered in 2020: CVE-2020-8608 and CVE-2020-7039. The affected Slirp versions are 4.0.0 to 4.2.0.

to sum up

Rootless containers provide a new container solution that adds a layer of security. It will become the next evolution direction in cloud containers. Although rootless containers still have many limitations, their functions are still under experimental development. With the development of time and technology, rootless containers can fully function and replace traditional containers.