[lxc-users] How to set cap in unprivileged container

Stéphane Graber stgraber at ubuntu.com
Tue Mar 26 16:59:09 UTC 2019


On Tue, Mar 26, 2019 at 12:04:17PM +0100, Kees Bakker wrote:
> Hey,
> 
> It is not clear to me if and how it is possible to set a capability in
> the config of a container. What I would like to do is to allow CAP_MKNOD
> in a container.
> 
> In the old (?) LXC you would presumably use lxc.cap.keep, but that doesn't
> work with LXD 3.x

Unprivileged containers have all capabilities, including CAP_MKNOD, it
just so happens that the kernel check for mknod will not allow root in
an unprivileged container to run mknod, no matter its capabilities.

That's the long version of just saying, that you can't and that it's not
a configuration issue but a hard kernel restriction on unprivileged
users.

We do have some ongoing work on the LXD side which will let us bypass
such kernel restrictions by intercepting, evaluating and running select
system calls in userspace, but that's still quite a few months out at
least (will require kernel 5.0 or higher, with future versions of
libseccomp, liblxc and lxd).

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190326/4467e103/attachment.sig>


More information about the lxc-users mailing list