[lxc-users] Unprivileged containers and Linux Capabilities
Serge E. Hallyn
serge at hallyn.com
Thu May 19 04:09:42 UTC 2016
Quoting Michele Giacomoli (michele.giacomoli at mynet.it):
> Thank you,
> So, as result, there is no way to keep capabilities for unprivileged
> containers, and lxc.cap.drop/keep in this case are pretty useless.
> Am I right?
There's no way to keep capabilities targeted at the host. If for
whatever reason you want to drop capabilities toward the container
itself, you can still use lxc.cap.*, but I don't know of anyone
doing that.
(It could in fact be a way to prevent some of the otherwise increased
kernel surface area)
More information about the lxc-users
mailing list