[lxc-users] Unprivileged containers and Linux Capabilities
Michele Giacomoli
michele.giacomoli at mynet.it
Tue May 17 08:32:18 UTC 2016
HI all,
I have an Ubuntu 14.04 host with lxc 1.0.3-0ubuntu3. I created an
unprivileged container with the following capabilities dropped from
/usr/share/lxc/config/ubuntu.common.conf template:
lxc.cap.drop = sys_module mac_admin mac_override sys_time
This is the configuration for the container:
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
lxc.id_map = u 0 123456 65536
lxc.id_map = g 0 123456 65536
lxc.rootfs = /mypath/
lxc.utsname = mycontainer
# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = mylink
lxc.network.name = eth0
lxc.network.hwaddr = my:ma:ca:dd:re:ss
A really basic config file
I installed a program inside this container which claims it fails when
calling function pthread_setschedparam. This function should be
permitted when CAP_SYS_NICE capability is not dropped (and this seems to
be the case). I also had same problem in the past when trying to let a
guest change system clock (that time I removed sys_time from dropped
capabilities).
My questions are: are capabilities taken in consideration when dealing
with unprivileged containers? Do I have something more to do so that I
can use this functions inside an unprivileged container?
Best Regards
Michele
More information about the lxc-users
mailing list