** Description changed: + ======================================== + SRU Justification + 1. Impact: cannot lxc-execute a container without cap_sys_admin + 2. Development fix: don't fail if lxc-init cannot mount /proc + 3. Stable fix: same as development fix. + 4. Test case: + 5. Regression potential: none + ======================================== + Using the 0.8.0~rc1 lxc release, it was possible to start an application container with the lxc.cap.drop=sys_admin option (# lxc-execute -n foo -s lxc.cap.drop=sys_admin -- /bin/bash). Since the new 1.0.0~alpha1 release, this is not possible anymore; the application immediately crashes upon being called by lxc-init, thus killing the container. When any other capability (or combination of capabilities) is dropped, the container still starts up however, only dropping cap_sys_admin results in an error. I've attached the debug output of # lxc-execute -o foo -l DEBUG -n foo -s lxc.cap.drop=sys_admin -- /bin/bash for reference. Release: 12.04.3 with HWE, Kernel 3.8.0-32-generic #47~precise1-Ubuntu SMP Wed Oct 2 16:19:35 UTC 2013 x86_64 LXC version: 1.0.0~alpha1-0ubuntu13~ubuntu12.04.1
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1253669 Title: unable to launch lxc application containers when dropping cap_sysadmin To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs