[lxc-users] Unprivileged containers and Linux Capabilities

Serge E. Hallyn serge at hallyn.com
Tue May 17 14:43:51 UTC 2016

On Tue, May 17, 2016 at 10:32:18AM +0200, Michele Giacomoli wrote:
> HI all,
> I have an Ubuntu 14.04 host with lxc 1.0.3-0ubuntu3. I created an
> unprivileged container with the following capabilities dropped from
> /usr/share/lxc/config/ubuntu.common.conf template:
> lxc.cap.drop = sys_module mac_admin mac_override sys_time
> This is the configuration for the container:
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
> lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
> lxc.arch = x86_64
> lxc.id_map = u 0 123456 65536
> lxc.id_map = g 0 123456 65536
> lxc.rootfs = /mypath/
> lxc.utsname = mycontainer
> # Network configuration
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = mylink
> lxc.network.name = eth0
> lxc.network.hwaddr = my:ma:ca:dd:re:ss
> A really basic config file
> I installed a program inside this container which claims it fails
> when calling function pthread_setschedparam. This function should be
> permitted when CAP_SYS_NICE capability is not dropped (and this
> seems to be the case). I also had same problem in the past when
> trying to let a guest change system clock (that time I removed
> sys_time from dropped capabilities).
> My questions are: are capabilities taken in consideration when
> dealing with unprivileged containers? Do I have something more to do
> so that I can use this functions inside an unprivileged container?
> Best Regards
> Michele

Capabilities are targeted to a user namespace.  If a modifying a
resource can adversely affect the host, then you'll need the
related capability targeted at the initial user namespace, rather
than your own.  (In the kernel source this is the difference between
capable(CAP_SYS_NICE) and ns_capable(ns, CAP_SYS_NICE), where
capable(x) expands to ns_capable(&init_user_ns, x).

So the feature you're trying to set in the container likely requires
the capaability against the initial user ns.  Your container cannot
have that.


More information about the lxc-users mailing list