[lxc-users] How to set cap in unprivileged container

Kees Bakker keesb at ghs.com
Wed Mar 27 07:39:52 UTC 2019


On 26-03-19 17:59, Stéphane Graber wrote:
> On Tue, Mar 26, 2019 at 12:04:17PM +0100, Kees Bakker wrote:
>> Hey,
>>
>> It is not clear to me if and how it is possible to set a capability in
>> the config of a container. What I would like to do is to allow CAP_MKNOD
>> in a container.
>>
>> In the old (?) LXC you would presumably use lxc.cap.keep, but that doesn't
>> work with LXD 3.x
> Unprivileged containers have all capabilities, including CAP_MKNOD, it
> just so happens that the kernel check for mknod will not allow root in
> an unprivileged container to run mknod, no matter its capabilities.
>
> That's the long version of just saying, that you can't and that it's not
> a configuration issue but a hard kernel restriction on unprivileged
> users.
Sad, but thanks for the explanation.
>
> We do have some ongoing work on the LXD side which will let us bypass
> such kernel restrictions by intercepting, evaluating and running select
> system calls in userspace, but that's still quite a few months out at
> least (will require kernel 5.0 or higher, with future versions of
> libseccomp, liblxc and lxd).
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190327/39542be5/attachment.html>


More information about the lxc-users mailing list