Daniel P. Berrange wrote:

I think you have that the wrong way around. The containers run
*without*  cap_sys_{module,boot,time,audit_control,mac_admin}.

Am I misinterpreting the output of getpcaps then? (getpcaps is rather undocumented).

See: http://pastebin.com/6FkXt66c

Moreover, I opened a virsh console to my helloworld container, typed 'reboot' and the whole host machine rebooted. Yikes!

Or are these bugs in the 0.9.2 codebase that have since been fixed?

-C-