[Lxc-users] lxc.cap.drop
Sebastien Pahl
seb at dotcloud.com
Wed Oct 26 17:41:18 UTC 2011
Here are all the caps that I managed to drop:
audit_control
audit_write
mac_admin
mac_override
mknod
net_raw
setfcap
setpcap
sys_admin
sys_boot
sys_module
sys_nice
sys_pacct
sys_rawio
sys_resource
sys_time
sys_tty_config
Notes:
- the user in the container is not root
- sys_chroot is not dropped because sshd needs it
- since mounts are now impossible from inside the container they have
to be added to the lxc fstab
On Wed, Oct 26, 2011 at 10:31, Ulli Horlacher
<framstag at rus.uni-stuttgart.de> wrote:
>
> Is there a "best practises" for lxc.cap.drop configuration?
>
> I have so far as default:
>
> # no MAC change
> lxc.cap.drop = mac_override
>
> # no kernel module (un)loading
> lxc.cap.drop = sys_module
>
> # no reboot
> lxc.cap.drop = sys_boot
>
> # no (un/re)mounting
> lxc.cap.drop = sys_admin
>
> # no time setting
> lxc.cap.drop = sys_time
>
>
> All the corresponding tasks should be done via host and not via container.
>
> --
> Ullrich Horlacher Server- und Arbeitsplatzsysteme
> Rechenzentrum E-Mail: horlacher at rus.uni-stuttgart.de
> Universitaet Stuttgart Tel: ++49-711-685-65868
> Allmandring 30 Fax: ++49-711-682357
> 70550 Stuttgart (Germany) WWW: http://www.rus.uni-stuttgart.de/
>
> ------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning at Cisco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
>
--
Sebastien Pahl
http://www.dotcloud.com
@sebp, @dot_cloud
More information about the lxc-users
mailing list