[lxc-users] container root unable to setcap in container
Michael Johnson
johnson at cognitech-ut.com
Fri Mar 9 12:27:33 UTC 2018
Thanks Fajar!
Your notes caused me to recall that I needed:
lxc config set container_name security.privileged true
and
lxc config set container_name security.privileged false
when installing apache webserver (httpd) in a centos container.
The same trick will resolve my present dilemma.
-Johnson
Fajar A. Nugraha wrote:
> On Fri, Mar 9, 2018 at 5:09 PM, Michael Johnson
> <johnson at cognitech-ut.com> wrote:
>> Hi All!
>>
>> I have noticed that a container's root user is unable to modify the
>> capabilities of a root-owned file in the container.
>>
>> For example:
>> setcap cap_net_raw=ep /bin/ping
>> returns:
>> Failed to set capabilities on file `ping' (Operation not permitted)
>
> Probably https://github.com/lxc/lxd/issues/2507#issuecomment-254058349
>
>> It is possible to set this capability as root from the host, operating
>> on the container's file.
>>
>> Can someone please explain this behavior? What am I doing wrong? When is
>> root in the container not root in the container?
>>
>
> If you use lxd, the default is unprivileged. "fake" root.
>
>> This is on gentoo. Have I overlooked an obscure kernel config?
>
> AFAIK some distros could detect whether setcap is possible, and if
> not, fallback using suid.
>
More information about the lxc-users
mailing list