[libvirt-users] lxc capabilities

Wednesday, 7 December 2011

I'm experimenting with the libvirt lxc driver, and wondering if there is
some way to control the capabilities assigned to the container processes.

With lxc-tools, I can specify a configuration option, lxc.cap.drop,
which causes the container processes to drop the specified privileges.

My libvirt containers seem to run with
cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin
which is rather more permissive than I'd like. In particular,
cap_sys_boot allows a container to reboot the host machine.

I am running libvirt-0.9.2 from squeeze-backports on debian squeeze.

Cheers,

-C-

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[libvirt-users] lxc capabilities