On Tue, Mar 26, 2019 at 12:04:17PM +0100, Kees Bakker wrote: > Hey, > > It is not clear to me if and how it is possible to set a capability in > the config of a container. What I would like to do is to allow CAP_MKNOD > in a container. > > In the old (?) LXC you would presumably use lxc.cap.keep, but that doesn't > work with LXD 3.x
Unprivileged containers have all capabilities, including CAP_MKNOD, it just so happens that the kernel check for mknod will not allow root in an unprivileged container to run mknod, no matter its capabilities. That's the long version of just saying, that you can't and that it's not a configuration issue but a hard kernel restriction on unprivileged users. We do have some ongoing work on the LXD side which will let us bypass such kernel restrictions by intercepting, evaluating and running select system calls in userspace, but that's still quite a few months out at least (will require kernel 5.0 or higher, with future versions of libseccomp, liblxc and lxd). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
