[Lxc-users] lxc-execute does not work with lxc.cap.drop = sys_admin

Matthijs Kooijman matthijs at stdin.nl
Wed Aug 24 14:46:43 UTC 2011


Hi folks,

I've setup a full system container, without sys_admin capabilities.
Aside from any other side-effects this might have, I found that using
lxc-execute to run a single command inside the container no longer
works:

    $ sudo lxc-execute -n template ls
    lxc-init: failed to mount /proc : Operation not permitted

(My usecase is running dpkg-reconfigure after duplicating a container
to regenerate SSH keys)


Looking at the code, this makes sense: lxc-execute drops privileges,
then runs lxc-init inside the container to run the actual command, and
then lxc-init tries to mount /proc, /dev/shm and /dev/mqueue.


So the real question of this mail is: Why does lxc-init do this
mounting instead of lxc-execute? I thought that lxc-init might be setuid
root, but that seems not te case.

Gr.

Matthijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110824/69f53ebd/attachment.pgp>


More information about the lxc-users mailing list