Thank you for your comment.
We could do with a feature like this for LXC too. Though I'd prefer the XML to be a little more concise. Perhaps
<process> <cap_sys_rawio/> </process>
One potential concern is that the capability names are OS specific, so perhaps rather than allow them as element names, we should use string attribute values for them
<process> <cap name='sys_rawio'/> </process>
I'll take in your idea.
and declare the attribute values are potentially OS dependant, and then expose the list of allowed OS capabilities values in the capabilities XML.
I plan on adding "process_capabilities" child element to "host" element of the capabilities XML like the following: # virsh capabilities <capabilities> <host> ... <process_capabilities> <cap name='chown'/> <cap name='dac_override'/> <cap name='dac_read_search'/> ... </process_capabilities> </host> ... Is this what you mean? -- Best regards, Taku Izumi <izumi.taku@jp.fujitsu.com>