On Tue, Feb 10, 2015 at 12:52:34PM +0100, Lennart Poettering wrote: > On Thu, 05.02.15 02:03, Vasiliy Tolstov (v.tols...@selfip.ru) wrote: > > > Hello! > > Does it possible to create container as regular user? Oh what capabilities > > i need to add to create container not using root? > > Invoking containers without privileges is not supported by nspawn, and > this is unlikely to change, as I fail to see any strong usecase for > this... > > If somebody can englighten me about the usecase for allowing > containers to be run by unprivileged users, I'd be willing to change > my mind though... A quick argument against it, IOW just wait and see!
As unprivileged we don't have CAP_SYS_MODULE set, but inside unprivileged containers we are root, and a call to cap_get_flag() on CAP_SYS_MODULE will return CAP_SET! but hey in reality this is not true, we don't have CAP_SYS_MODULE... this will confuse programs running inside containers, we'll have to add more code paths for this special case... and not only CAP_SYS_MODULE, perhaps there are other cases... -- Djalal Harouni http://opendz.org _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
