[lxc-users] setcap does not work in unprivileged container

Mark Constable markc at renta.net
Thu Feb 25 10:49:27 UTC 2016


On 25/02/16 20:16, Tamas Papp wrote:
> # /sbin/setcap 'cap_net_bind_service=+ep' /usr/bin/nodejs
> Failed to set capabilities on file `/usr/bin/nodejs' (Invalid argument)
> The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
>
> Can we somehow make it work?

The answer seems to be "you can't", sorry.

This is the answer I got to basically the same question a week ago...

> On 19/02/16 02:32, Serge Hallyn wrote:
>>>>> ~ /sbin/setcap cap_net_bind_service=+ep /usr/bin/caddy
>>>>> Failed to set capabilities on file `/usr/bin/caddy' (Invalid argument)
>>>
>>> xenial host with a xenial lxd 2.0.0~beta2 unprivileged container
>
> lxd 2.0.0~beta3 now. Can you spare a moment for a little more detail please?

Sorry apparently I was not clear.  If you are in an unprivileged
container, there is nothing you can do to set file capabilities, apart
from writing the kernel patch (and libcap patch) to make namespaaced
capabilities happen.

However any packages in ubuntu should not break due to not being able
to set file capabilities.  I want the namespaced capabilties so we can
stop having fallbacks, but right now if that happens then it is valid
to file a bug against the package which is failing to install.


More information about the lxc-users mailing list