On Wed, 11.02.15 13:53, Djalal Harouni (tix...@opendz.org) wrote: > On Tue, Feb 10, 2015 at 12:52:34PM +0100, Lennart Poettering wrote: > > On Thu, 05.02.15 02:03, Vasiliy Tolstov (v.tols...@selfip.ru) wrote: > > > > > Hello! > > > Does it possible to create container as regular user? Oh what capabilities > > > i need to add to create container not using root? > > > > Invoking containers without privileges is not supported by nspawn, and > > this is unlikely to change, as I fail to see any strong usecase for > > this... > > > > If somebody can englighten me about the usecase for allowing > > containers to be run by unprivileged users, I'd be willing to change > > my mind though... > A quick argument against it, IOW just wait and see! > > As unprivileged we don't have CAP_SYS_MODULE set, but inside > unprivileged containers we are root, and a call to cap_get_flag() on > CAP_SYS_MODULE will return CAP_SET! but hey in reality this is not true, > we don't have CAP_SYS_MODULE... this will confuse programs running > inside containers, we'll have to add more code paths for this special > case... and not only CAP_SYS_MODULE, perhaps there are other cases...
Well, but we could drop CAP_SYS_MODULE both before and after setting up the userns, so that the cap is missing fro the PID both inside and outside of it... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
