Ok, I got it. Thank you very much for your answer Serge
Il 19/05/2016 06:09, Serge E. Hallyn ha scritto:
Quoting Michele Giacomoli ([email protected]):
Thank you,
So, as result, there is no way to keep capabilities for unprivileged
containers, and lxc.cap.drop/keep in this case are pretty useless.
Am I right?
There's no way to keep capabilities targeted at the host. If for
whatever reason you want to drop capabilities toward the container
itself, you can still use lxc.cap.*, but I don't know of anyone
doing that.
(It could in fact be a way to prevent some of the otherwise increased
kernel surface area)
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
