[lxc-users] Unprivileged containers and Linux Capabilities

Michele Giacomoli michele.giacomoli at mynet.it
Thu May 19 07:24:39 UTC 2016

Ok, I got it. Thank you very much for your answer Serge

Il 19/05/2016 06:09, Serge E. Hallyn ha scritto:
> Quoting Michele Giacomoli (michele.giacomoli at mynet.it):
>> Thank you,
>> So, as result, there is no way to keep capabilities for unprivileged
>> containers, and lxc.cap.drop/keep in this case are pretty useless.
>> Am I right?
> There's no way to keep capabilities targeted at the host.  If for
> whatever reason you want to drop capabilities toward the container
> itself, you can still use lxc.cap.*, but I don't know of anyone
> doing that.
> (It could in fact be a way to prevent some of the otherwise increased
> kernel surface area)
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list