The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2086
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === It would be convenient to be able to toggle sys_ptrace on a per container basis. Removing the option from the common configuration file would have an effect on deployed containers, though. Any better ideas to achieve this? Most of the templates do not drop this capability, so there is no good precedent.
From ecef04af7104c39cfcd96f3c429afe51d59ac628 Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen <[email protected]> Date: Tue, 16 Jan 2018 15:53:04 +0200 Subject: [PATCH] lxc-alpine: allow retaining sys_ptrace per container Signed-off-by: Kaarle Ritvanen <[email protected]> --- config/templates/alpine.common.conf.in | 1 - templates/lxc-alpine.in | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/templates/alpine.common.conf.in b/config/templates/alpine.common.conf.in index 934fee28e..1c4cf815a 100644 --- a/config/templates/alpine.common.conf.in +++ b/config/templates/alpine.common.conf.in @@ -11,7 +11,6 @@ lxc.cap.drop = mknod lxc.cap.drop = setpcap lxc.cap.drop = sys_nice lxc.cap.drop = sys_pacct -lxc.cap.drop = sys_ptrace lxc.cap.drop = sys_rawio lxc.cap.drop = sys_resource lxc.cap.drop = sys_tty_config diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in index 768e69028..174c36815 100644 --- a/templates/lxc-alpine.in +++ b/templates/lxc-alpine.in @@ -398,6 +398,9 @@ configure_container() { # hostname(1). lxc.cap.drop = sys_admin + # Comment this out if you have to debug processes by tracing. + lxc.cap.drop = sys_ptrace + # Include common configuration. lxc.include = $LXC_TEMPLATE_CONFIG/alpine.common.conf EOF
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
