[lxc-users] Unprivileged containers and Linux Capabilities

Serge E. Hallyn serge at hallyn.com
Thu May 19 04:09:42 UTC 2016


Quoting Michele Giacomoli (michele.giacomoli at mynet.it):
> Thank you,
> So, as result, there is no way to keep capabilities for unprivileged
> containers, and lxc.cap.drop/keep in this case are pretty useless.
> Am I right?

There's no way to keep capabilities targeted at the host.  If for
whatever reason you want to drop capabilities toward the container
itself, you can still use lxc.cap.*, but I don't know of anyone
doing that.

(It could in fact be a way to prevent some of the otherwise increased
kernel surface area)


More information about the lxc-users mailing list