[lxc-users] Trouble with unprivileged container on Fedora
Samir Aguiar
samir.aguiar at intra2net.com
Thu Feb 19 15:19:43 UTC 2015
I'm having some problems to configure an unprivileged container on Fedora.
I've managed to mount most of the filesystems, but I cannot mount sysfs and use
the network at the same time.
Here's the mount entry:
lxc.mount.entry = sysfs sys sysfs defaults 0 0
If I use the empty type for network, the container is set and sysfs is
mounted. However, once I change the type to "none", I get a permission denied
message when mounting (only for sysfs).
By not mounting sysfs I can set up the container and have network access.
However, I cannot use the ping command:
$ ping localhost
ping: icmp open socket: Operation not permitted
Some information on the capabilities:
$ getcap /bin/ping
/bin/ping = cap_net_admin,cap_net_raw+ep
$ getcap /usr/bin/lxc-start
/usr/bin/lxc-start = cap_net_admin,cap_net_raw,cap_sys_admin+ep
lxc.cap.keep = sys_admin net_admin net_raw
I'm not using AppArmor, SELinux neither Seccomp.
Any advice on this?
More information about the lxc-users
mailing list