[lxc-users] setcap capabilities
Serge Hallyn
serge.hallyn at ubuntu.com
Sat Feb 13 17:20:56 UTC 2016
Quoting Mark Constable (markc at renta.net):
> Outside a container on the host I can...
>
> ~ /sbin/setcap cap_net_bind_service=+ep /usr/bin/caddy
> ~ getcap /usr/bin/caddy
> /usr/bin/caddy = cap_net_bind_service+ep
>
> but inside a container I get...
>
> ~ /sbin/setcap cap_net_bind_service=+ep /usr/bin/caddy
> Failed to set capabilities on file `/usr/bin/caddy' (Invalid argument)
> The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
>
> What procedure should I follow to allow the above cap_net_bind_service=+ep to be
> set inside a 2.0.0~beta1 container?
If the container is in a user namespace, you cannot, until we get
the namespaced file capabilities going. You'll have to do it from
the initial user namespace.
If not in a user namespace, ... well it works for me, but
you may have to edit the files under /usr/share/lxc which get
lxc.include'd to make sure they're not dropping CAP_SETFCAP,
and check your apparmor/selinux policy. I'm not going more
into detail on that until we're sure you're not in a user
namespace :)
More information about the lxc-users
mailing list