[lxc-users] Unprivileged containers and Linux Capabilities

Michele Giacomoli michele.giacomoli at mynet.it
Tue May 17 08:32:18 UTC 2016


HI all,

I have an Ubuntu 14.04 host with lxc 1.0.3-0ubuntu3. I created an 
unprivileged container with the following capabilities dropped from 
/usr/share/lxc/config/ubuntu.common.conf template:
lxc.cap.drop = sys_module mac_admin mac_override sys_time
This is the configuration for the container:

lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

lxc.id_map = u 0 123456 65536
lxc.id_map = g 0 123456 65536
lxc.rootfs = /mypath/
lxc.utsname = mycontainer

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = mylink
lxc.network.name = eth0
lxc.network.hwaddr = my:ma:ca:dd:re:ss

A really basic config file

I installed a program inside this container which claims it fails when 
calling function pthread_setschedparam. This function should be 
permitted when CAP_SYS_NICE capability is not dropped (and this seems to 
be the case). I also had same problem in the past when trying to let a 
guest change system clock (that time I removed sys_time from dropped 
capabilities).
My questions are: are capabilities taken in consideration when dealing 
with unprivileged containers? Do I have something more to do so that I 
can use this functions inside an unprivileged container?

Best Regards
Michele



More information about the lxc-users mailing list