[Lxc-users] lxc-execute does not work with lxc.cap.drop = sys_admin
Matthijs Kooijman
matthijs at stdin.nl
Wed Aug 24 14:46:43 UTC 2011
Hi folks,
I've setup a full system container, without sys_admin capabilities.
Aside from any other side-effects this might have, I found that using
lxc-execute to run a single command inside the container no longer
works:
$ sudo lxc-execute -n template ls
lxc-init: failed to mount /proc : Operation not permitted
(My usecase is running dpkg-reconfigure after duplicating a container
to regenerate SSH keys)
Looking at the code, this makes sense: lxc-execute drops privileges,
then runs lxc-init inside the container to run the actual command, and
then lxc-init tries to mount /proc, /dev/shm and /dev/mqueue.
So the real question of this mail is: Why does lxc-init do this
mounting instead of lxc-execute? I thought that lxc-init might be setuid
root, but that seems not te case.
Gr.
Matthijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110824/69f53ebd/attachment.pgp>
More information about the lxc-users
mailing list