[lxc-devel] Resetting the supplementary groups
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jul 30 14:17:48 UTC 2015
Quoting Stewart Brodie (sbrodie at espial.com):
>
> A feature that I need is to be able to set the supplementary groups so that
> when I start an unprivileged container, the initial user in the container is
> a member of a number of supplementary groups, so that it will have access to
> various places in the filesystem protected via group ownership. Since
So to be clear, you're running containers without a user namespace, and
dropping all capabilities?
> inside the container nothing has any capabilities and the bounding set is
> empty, there is no way for me to change groups as the setgroups() call
> always fails, so it needs to be set from outside. Currently, lxc/start.c
> empties the supplementary groups if it's an unprivileged container.
>
> I'd like to be able to declare them in the container configuration file. I'd
> also like to be able to set them on privileged containers for consistency.
>
> So I made a patch that adds this feature which works well enough for me.
>
> Would anybody else find this useful?
Doesn't fit into my own use cases but that's ok, so just go ahead
and send the patch and we can discuss.
> If so, I'll try to find some time to tidy it up into the correct coding
> style and write some proper documentation for it and contribute a patch.
>
>
> --
> Stewart Brodie
> Senior Software Engineer
> Espial UK
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list