Skip to content

Instantly share code, notes, and snippets.

View lossendae's full-sized avatar

Stéphane Boulard lossendae

View GitHub Profile
@julianlam
julianlam / provisioning-unprivileged-lxc-containers-via-login-or-script.md
Last active September 7, 2023 12:45
Provisioning and usage of unprivileged LXC containers via indirect login or script #blog

Provisioning and usage of unprivileged LXC containers via indirect login or script

As I've discovered, managing LXC containers is fairly straightforward, but when building out a system for provisioning out user maintained instances of NodeBB, it was imperative that unprivileged LXC containers were used, so that in the event of shell breakout from NodeBB followed by privilege escalation of the saas user, the root user in the LXC container would only be an unprivileged user on the host machine.

During the course of development, I ran into numerous blockers when it came to managing LXC containers in unexpected circumstances. Namely:

  • Using LXC in a subshell is not directly supported. This usually happens under one of the following two circumstances:
    • After switching users via su or executing lxc-* commands as another user via sudo
    • Executing lxc-* commands via a program, application, or script. In my case, a Node.js application.
@frankdejonge
frankdejonge / getter.tpl
Created July 1, 2016 21:46
PHPStorm getter/setter templates.
#set($returnType = ": $TYPE_HINT")
## First we check against a blacklist of primitive and other common types used in documentation.
#set($nonTypeHintableTypes = ["", "mixed", "number", "void", "object", "real", "double", "resource", "null"])
#foreach($nonTypeHintableType in $nonTypeHintableTypes)
#if ($nonTypeHintableType == $TYPE_HINT)
#set($returnType = "")
#end
#end
## Make sure the type hint actually looks like a legal php class name(permitting namespaces too) for future proofing reasons.
## This is important because PSR-5 is coming soon, and will allow documentation of types with syntax like SplStack<int>