Quoting Stewart Brodie ([email protected]): > > A feature that I need is to be able to set the supplementary groups so that > when I start an unprivileged container, the initial user in the container is > a member of a number of supplementary groups, so that it will have access to > various places in the filesystem protected via group ownership. Since
So to be clear, you're running containers without a user namespace, and dropping all capabilities? > inside the container nothing has any capabilities and the bounding set is > empty, there is no way for me to change groups as the setgroups() call > always fails, so it needs to be set from outside. Currently, lxc/start.c > empties the supplementary groups if it's an unprivileged container. > > I'd like to be able to declare them in the container configuration file. I'd > also like to be able to set them on privileged containers for consistency. > > So I made a patch that adds this feature which works well enough for me. > > Would anybody else find this useful? Doesn't fit into my own use cases but that's ok, so just go ahead and send the patch and we can discuss. > If so, I'll try to find some time to tidy it up into the correct coding > style and write some proper documentation for it and contribute a patch. > > > -- > Stewart Brodie > Senior Software Engineer > Espial UK > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
