[lxc-users] container root unable to setcap in container
Fajar A. Nugraha
list at fajar.net
Fri Mar 9 11:16:30 UTC 2018
On Fri, Mar 9, 2018 at 5:09 PM, Michael Johnson
<johnson at cognitech-ut.com> wrote:
> Hi All!
>
> I have noticed that a container's root user is unable to modify the
> capabilities of a root-owned file in the container.
>
> For example:
> setcap cap_net_raw=ep /bin/ping
> returns:
> Failed to set capabilities on file `ping' (Operation not permitted)
Probably https://github.com/lxc/lxd/issues/2507#issuecomment-254058349
> It is possible to set this capability as root from the host, operating
> on the container's file.
>
> Can someone please explain this behavior? What am I doing wrong? When is
> root in the container not root in the container?
>
If you use lxd, the default is unprivileged. "fake" root.
> This is on gentoo. Have I overlooked an obscure kernel config?
AFAIK some distros could detect whether setcap is possible, and if
not, fallback using suid.
--
Fajar
More information about the lxc-users
mailing list