A feature that I need is to be able to set the supplementary groups so that when I start an unprivileged container, the initial user in the container is a member of a number of supplementary groups, so that it will have access to various places in the filesystem protected via group ownership. Since inside the container nothing has any capabilities and the bounding set is empty, there is no way for me to change groups as the setgroups() call always fails, so it needs to be set from outside. Currently, lxc/start.c empties the supplementary groups if it's an unprivileged container.
I'd like to be able to declare them in the container configuration file. I'd also like to be able to set them on privileged containers for consistency. So I made a patch that adds this feature which works well enough for me. Would anybody else find this useful? If so, I'll try to find some time to tidy it up into the correct coding style and write some proper documentation for it and contribute a patch. -- Stewart Brodie Senior Software Engineer Espial UK _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
