On Thu, 05.02.15 15:48, Vasiliy Tolstov (v.tols...@selfip.ru) wrote: > 2015-02-05 12:44 GMT+03:00 Alban Crequy <alban.cre...@gmail.com>: > > > Manual page namespaces(7): > > > > Creation of new namespaces using clone(2) and unshare(2) in most > > cases > > requires the CAP_SYS_ADMIN capability. User namespaces are the > > exception: since Linux 3.8, no privilege is required to create a > > user > > namespace. > > > > So as i understand i can't create full featured container with network > under non root user (and not have cap_sys_admin)
unprivileged containers are unlikely to ever support that. creating a network interface on the host will necessary require privileges. If you hence want "full network" support (by which i assume you mean veth links and stuff), then you are generally out of luck... You can run nspawn containers without CAP_SYS_ADMIN via nspawn's --drop-capability=CAP_SYS_ADMIN switch. However, YMMY, as the code you run inside of the container must be Ok with that not having those perms and systemd at least until very recently didn't like that at all... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
