[lxc-devel] Quick questions and feedback about `lxc-start`
Andrian Nord
nightnord at gmail.com
Sat Jan 9 16:31:50 UTC 2010
> By "dropping capabilities" you actually mean capabilities like the
> ones from POSIX file capabilities? Or you mean dropping the
> "privileges of a root user" to a non-root user? (I would guess that
> its the later (dropping to a non-root user after initialization)...)
Yes. I mean exactly this. It will drop capabilities for spawned init
process, to make system less capable. For example - forbid modprobe's
into container and other.
> It's not very clear to me if the new patches would provide
> something like I have proposed:
> sudo -- lxc-start --name test --rcfile ./name.conf --uid "$UID"
> --gid "$GID" -- /bin/bash
Ahh. Sorry, I saw lxc-start and thought that you are talking about
full-system containers. For application containers it would be
better to use lxc-execute, maybe?
If you need exactly changing pid into new spawned namespace, I wounder
why. Situation when two users with same uid in different user namespaces
are equal isn't correct and is object for change, I suppose. Or this is
for security reasons (to make root non-root, to protect filesystem)?
More information about the lxc-devel
mailing list