[lxc-devel] setpcap
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jul 10 14:13:52 UTC 2014
Hi Michael,
https://bugs.launchpad.net/bugs/1339781 claims that
"""creating a centos 7 container mostly worked using the template, but when
it was launched, it was really slow to run through most of the sysinit
tasks, and neither systemd-journald nor systemd-logind could start. The
error was something like "Error at step CAPABILITIES"."""
and that allowing setpcap fixes it. Two questions:
1. Why is setpcap being dropped? It only allows moving caps from bounding
set to pI and dropping more caps from bounding set. It actually seems less
safe to disable it than to keep it enabled, as privileged tasks will be
unable to set things up right and run under a bad config - a la sendmail
capabilities bug.
2. Would disabling the systemd journal service also fix this?
-serge
More information about the lxc-devel
mailing list