[lxc-devel] Resetting the supplementary groups
Stewart Brodie
sbrodie at espial.com
Wed Jul 29 16:40:00 UTC 2015
A feature that I need is to be able to set the supplementary groups so that
when I start an unprivileged container, the initial user in the container is
a member of a number of supplementary groups, so that it will have access to
various places in the filesystem protected via group ownership. Since
inside the container nothing has any capabilities and the bounding set is
empty, there is no way for me to change groups as the setgroups() call
always fails, so it needs to be set from outside. Currently, lxc/start.c
empties the supplementary groups if it's an unprivileged container.
I'd like to be able to declare them in the container configuration file. I'd
also like to be able to set them on privileged containers for consistency.
So I made a patch that adds this feature which works well enough for me.
Would anybody else find this useful?
If so, I'll try to find some time to tidy it up into the correct coding
style and write some proper documentation for it and contribute a patch.
--
Stewart Brodie
Senior Software Engineer
Espial UK
More information about the lxc-devel
mailing list