[lxc-users] Unprivileged containers and Linux Capabilities

Michele Giacomoli michele.giacomoli at mynet.it
Wed May 18 07:57:11 UTC 2016


Thank you Serge

Is there a way for managing user namespace capabilities and add needed 
capabilities to initial user namespace?

Best regards
Michele

Il 17/05/2016 16:43, Serge E. Hallyn ha scritto:
> On Tue, May 17, 2016 at 10:32:18AM +0200, Michele Giacomoli wrote:
>> HI all,
>>
>> I have an Ubuntu 14.04 host with lxc 1.0.3-0ubuntu3. I created an
>> unprivileged container with the following capabilities dropped from
>> /usr/share/lxc/config/ubuntu.common.conf template:
>> lxc.cap.drop = sys_module mac_admin mac_override sys_time
>> This is the configuration for the container:
>>
>> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>> lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
>> lxc.arch = x86_64
>>
>> lxc.id_map = u 0 123456 65536
>> lxc.id_map = g 0 123456 65536
>> lxc.rootfs = /mypath/
>> lxc.utsname = mycontainer
>>
>> # Network configuration
>> lxc.network.type = veth
>> lxc.network.flags = up
>> lxc.network.link = mylink
>> lxc.network.name = eth0
>> lxc.network.hwaddr = my:ma:ca:dd:re:ss
>>
>> A really basic config file
>>
>> I installed a program inside this container which claims it fails
>> when calling function pthread_setschedparam. This function should be
>> permitted when CAP_SYS_NICE capability is not dropped (and this
>> seems to be the case). I also had same problem in the past when
>> trying to let a guest change system clock (that time I removed
>> sys_time from dropped capabilities).
>> My questions are: are capabilities taken in consideration when
>> dealing with unprivileged containers? Do I have something more to do
>> so that I can use this functions inside an unprivileged container?
>>
>> Best Regards
>> Michele
> Capabilities are targeted to a user namespace.  If a modifying a
> resource can adversely affect the host, then you'll need the
> related capability targeted at the initial user namespace, rather
> than your own.  (In the kernel source this is the difference between
> capable(CAP_SYS_NICE) and ns_capable(ns, CAP_SYS_NICE), where
> capable(x) expands to ns_capable(&init_user_ns, x).
>
> So the feature you're trying to set in the container likely requires
> the capaability against the initial user ns.  Your container cannot
> have that.
>
> -serge
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list