[lxc-users] Trouble with unprivileged container on Fedora

Samir Aguiar samir.aguiar at intra2net.com
Thu Feb 19 15:19:43 UTC 2015


I'm having some problems to configure an unprivileged container on Fedora.
I've managed to mount most of the filesystems, but I cannot mount sysfs and use 
the network at the same time.

Here's the mount entry:
lxc.mount.entry = sysfs sys sysfs defaults 0 0

If I use the empty type for network, the container is set and sysfs is 
mounted. However, once I change the type to "none", I get a permission denied 
message when mounting (only for sysfs).

By not mounting sysfs I can set up the container and have network access. 
However, I cannot use the ping command:
$ ping localhost
ping: icmp open socket: Operation not permitted

Some information on the capabilities:
$ getcap /bin/ping
/bin/ping = cap_net_admin,cap_net_raw+ep

$ getcap /usr/bin/lxc-start
/usr/bin/lxc-start = cap_net_admin,cap_net_raw,cap_sys_admin+ep

lxc.cap.keep = sys_admin net_admin net_raw

I'm not using AppArmor, SELinux neither Seccomp.

Any advice on this?


More information about the lxc-users mailing list