Recently, while dealing with LXCs, I've found a nice blog entry related to the unprivileged LXC containers, which is a new feature in the LXC v1.0.
Originally, LXC containers were not as secure as other OS-level virtualization methods such as OpenVZ: in Linux kernels before 3.8, the root user of the guest system could run arbitrary code on the host system with root privileges, much like chroot jails.
Starting with the 1.0 release, containers run as regular users on the host using "unprivileged containers". Unprivileged containers are more limited in that they cannot access hardware directly. Nevertheless, even privileged containers should provide adequate isolation in the 1.0 security model, if properly configured.
Full introduction is available below:Share on Twitter Share on Facebook