[lxc-users] Failure to start a container with 'lxc.seccomp' option set

Serge Hallyn serge.hallyn at ubuntu.com
Mon Apr 28 17:50:45 UTC 2014


Quoting Nels Nelson (nels.n.nelson at gmail.com):
> Greetings, Serge,-
> 
> Here is the additional information that you requested:
> 
> https://gist.github.com/nelsnelson/11298117
> 
> Thanks for looking into this for me.

Ok, thanks.  That looks exactly as I'd expect:

      lxc-start 1398611507.445 DEBUG    lxc_start - Container violated its seccomp policy

I'm not sure what your sandboxing goal is, but take a look at /usr/share/lxc/seccomp.full
created by /usr/share/lxc/seccomp.script (if you're on ubuntu) for a whitelist policy
that should generally work.  A blacklist policy generally will be easier to deal with,
which would lookk like:

2
blacklist
mknod

(to disallow the mknod syscall only)


More information about the lxc-users mailing list