On 26-03-19 17:59, Stéphane Graber wrote: > On Tue, Mar 26, 2019 at 12:04:17PM +0100, Kees Bakker wrote: >> Hey, >> >> It is not clear to me if and how it is possible to set a capability in >> the config of a container. What I would like to do is to allow CAP_MKNOD >> in a container. >> >> In the old (?) LXC you would presumably use lxc.cap.keep, but that doesn't >> work with LXD 3.x > Unprivileged containers have all capabilities, including CAP_MKNOD, it > just so happens that the kernel check for mknod will not allow root in > an unprivileged container to run mknod, no matter its capabilities. > > That's the long version of just saying, that you can't and that it's not > a configuration issue but a hard kernel restriction on unprivileged > users. Sad, but thanks for the explanation. > > We do have some ongoing work on the LXD side which will let us bypass > such kernel restrictions by intercepting, evaluating and running select > system calls in userspace, but that's still quite a few months out at > least (will require kernel 5.0 or higher, with future versions of > libseccomp, liblxc and lxd). > > > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users