[lxc-users] Capabilities (mlock) in unprivileged containers
Gregory Lutostanski
gregory.lutostanski at canonical.com
Mon Sep 12 20:38:50 UTC 2016
Hey all.
Curious if anyone has experience with getting capabilities working in
unprivileged containers. In particular I am trying to get mlock working...
Everything works as expected running in an unprivileged container. For the
lxc.cap.drop is the default (mac_admin mac_override sys_time sys_module
sys_rawio) I believe. So I would think that it would work as is... But it
doesn't. I know nothing about capabilities other than "man capabilities". I
would like it to work for running Vault in an unprivileged lxc (
https://www.vaultproject.io/docs/config/index.html#disable_mlock) or is
that just crazy?
Is there some set of apparmor/privileges I can grant to the container other
than going fully privileged that would cover this?
If anyone is curious I am running this test to see if it works as
expected...
https://github.com/linux-test-project/ltp/releases/tag/20160510
(ltp-full-20160510/testcases/kernel/syscalls/mlock/mlock01.c)
Any input (even generic points in the right direction would be helpful).
Thanks!
Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160912/a0e763bb/attachment.html>
More information about the lxc-users
mailing list