[lxc-users] setcap does not work in unprivileged container
Tamas Papp
tompos at martos.bme.hu
Thu Feb 25 10:55:27 UTC 2016
On 02/25/2016 11:49 AM, Mark Constable wrote:
> On 25/02/16 20:16, Tamas Papp wrote:
>> # /sbin/setcap 'cap_net_bind_service=+ep' /usr/bin/nodejs
>> Failed to set capabilities on file `/usr/bin/nodejs' (Invalid argument)
>> The value of the capability argument is not permitted for a file. Or
>> the file is not a regular (non-symlink) file
>>
>> Can we somehow make it work?
>
> The answer seems to be "you can't", sorry.
>
> This is the answer I got to basically the same question a week ago...
>
>> On 19/02/16 02:32, Serge Hallyn wrote:
>>>>>> ~ /sbin/setcap cap_net_bind_service=+ep /usr/bin/caddy
>>>>>> Failed to set capabilities on file `/usr/bin/caddy' (Invalid
>>>>>> argument)
>>>>
>>>> xenial host with a xenial lxd 2.0.0~beta2 unprivileged container
>>
>> lxd 2.0.0~beta3 now. Can you spare a moment for a little more detail
>> please?
>
> Sorry apparently I was not clear. If you are in an unprivileged
> container, there is nothing you can do to set file capabilities, apart
> from writing the kernel patch (and libcap patch) to make namespaaced
> capabilities happen.
>
> However any packages in ubuntu should not break due to not being able
> to set file capabilities. I want the namespaced capabilties so we can
> stop having fallbacks, but right now if that happens then it is valid
> to file a bug against the package which is failing to install.
>
Too bad, thanks.
tamas
More information about the lxc-users
mailing list