Here are all the caps that I managed to drop: audit_control audit_write mac_admin mac_override mknod net_raw setfcap setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config
Notes: - the user in the container is not root - sys_chroot is not dropped because sshd needs it - since mounts are now impossible from inside the container they have to be added to the lxc fstab On Wed, Oct 26, 2011 at 10:31, Ulli Horlacher <[email protected]> wrote: > > Is there a "best practises" for lxc.cap.drop configuration? > > I have so far as default: > > # no MAC change > lxc.cap.drop = mac_override > > # no kernel module (un)loading > lxc.cap.drop = sys_module > > # no reboot > lxc.cap.drop = sys_boot > > # no (un/re)mounting > lxc.cap.drop = sys_admin > > # no time setting > lxc.cap.drop = sys_time > > > All the corresponding tasks should be done via host and not via container. > > -- > Ullrich Horlacher Server- und Arbeitsplatzsysteme > Rechenzentrum E-Mail: [email protected] > Universitaet Stuttgart Tel: ++49-711-685-65868 > Allmandring 30 Fax: ++49-711-682357 > 70550 Stuttgart (Germany) WWW: http://www.rus.uni-stuttgart.de/ > > ------------------------------------------------------------------------------ > The demand for IT networking professionals continues to grow, and the > demand for specialized networking skills is growing even more rapidly. > Take a complimentary Learning@Cisco Self-Assessment and learn > about Cisco certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > _______________________________________________ > Lxc-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/lxc-users > -- Sebastien Pahl http://www.dotcloud.com @sebp, @dot_cloud ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Lxc-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-users
