[lxc-users] container root unable to setcap in container

Fajar A. Nugraha list at fajar.net
Fri Mar 9 11:16:30 UTC 2018


On Fri, Mar 9, 2018 at 5:09 PM, Michael Johnson
<johnson at cognitech-ut.com> wrote:
> Hi All!
>
> I have noticed that a container's root user is unable to modify the
> capabilities of a root-owned file in the container.
>
> For example:
> setcap cap_net_raw=ep /bin/ping
> returns:
> Failed to set capabilities on file `ping' (Operation not permitted)

Probably https://github.com/lxc/lxd/issues/2507#issuecomment-254058349

> It is possible to set this capability as root from the host, operating
> on the container's file.
>
> Can someone please explain this behavior? What am I doing wrong? When is
> root in the container not root in the container?
>

If you use lxd, the default is unprivileged. "fake" root.

> This is on gentoo. Have I overlooked an obscure kernel config?

AFAIK some distros could detect whether setcap is possible, and if
not, fallback using suid.

-- 
Fajar


More information about the lxc-users mailing list