[lxc-users] setcap capabilities

Serge Hallyn serge.hallyn at ubuntu.com
Fri Feb 19 01:42:51 UTC 2016


Quoting Mark Constable (markc at renta.net):
> On 19/02/16 02:32, Serge Hallyn wrote:
> >>>>but inside a container I get...
> >>>>
> >>>>~ /sbin/setcap cap_net_bind_service=+ep /usr/bin/caddy
> >>>>Failed to set capabilities on file `/usr/bin/caddy' (Invalid argument)
> >>>
> >>>If not in a user namespace, ... well it works for me, but you may
> >>>have to edit the files under /usr/share/lxc which get lxc.include'd
> >>>to make sure they're not dropping CAP_SETFCAP, and check your
> >>>apparmor/selinux policy. I'm not going more into detail on that until
> >>>we're sure you're not in a user namespace :)
> >>
> >>xenial host with a xenial lxd 2.0.0~beta2 unprivileged container
> 
> lxd 2.0.0~beta3 now. Can you spare a moment for a little more detail please?

Sorry apparently I was not clear.  If you are in an unprivileged
container, there is nothing you can do to set file capabilities, apart
from writing the kernel patch (and libcap patch) to make namespaaced
capabilities happen.

However any packages in ubuntu should not break due to not being able
to set file capabilities.  I want the namespaced capabilties so we can
stop having fallbacks, but right now if that happens then it is valid
to file a bug against the package which is failing to install.


More information about the lxc-users mailing list