Hi, I want to use unprivileged container + setcap to set limited capabilities, but can not success, here is my test (lxc-1.0.8 and lxc-2.0.8):
testapp: int ret = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); fprintf(stderr, "socket ret %d, %s\n", ret, strerror(errno)); 1. add net_raw capability setcap cap_net_admin,cap_net_raw=eip ./testapp 2. switch to uid 2000, execute testapp $ ./testapp socket ret 3, Success 3. use unprivileged container to run testapp lxc config: lxc.network.type = none lxc.id_map = u 0 2000 1 lxc.id_map = g 0 2000 1 sudo lxc-execute -n testapp -f config -P /files/testapp .... socket ret -1, Operation not permitted 4. using lxc-2.0.8, add init_uid/init_gid lxc.init_uid = 2000 lxc.init_gid = 2000 lxc-execute: utils.c: lxc_switch_uid_gid: 2069 Invalid argument - Failed to switch to gid 2000. Can anyone help, what is going wrong?
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
