[libvirt-users] dropping capabilities in lxc containers
Hi there I’m not quite proficient with libvirt yet, and have been using it so far primarily to manage lxc containers I was hoping to find a means to configure the set of capabilities that guests should drop, but came across a few web pages suggesting these were set in stone in the code is this correct, or is there a means to tweak this set from the host via the xml config or a virsh command ? any hint / pointer to documentation in this respect would be most appreciated — Thierry
On Wed, Jan 29, 2014 at 09:43:25AM +0100, Thierry Parmentelat wrote:
Hi there
I’m not quite proficient with libvirt yet, and have been using it so far primarily to manage lxc containers I was hoping to find a means to configure the set of capabilities that guests should drop, but came across a few web pages suggesting these were set in stone in the code is this correct, or is there a means to tweak this set from the host via the xml config or a virsh command ?
any hint / pointer to documentation in this respect would be most appreciated
That's correct, there's no means to configure this from the libvirt XML config. The containers will be started with the maximal set of capabilities we can reasonably allow. The app inside the container can drop bits they don't require Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Thanks for the feedback I take it from your answer that there is no current plan in the direction of adding this as a feature, right ? In this case, how would you welcome pull requests if we managed to add this on our side ? Many thanks — Thierry On 29 Jan 2014, at 14:27, Daniel P. Berrange <berrange@redhat.com> wrote:
On Wed, Jan 29, 2014 at 09:43:25AM +0100, Thierry Parmentelat wrote:
Hi there
I’m not quite proficient with libvirt yet, and have been using it so far primarily to manage lxc containers I was hoping to find a means to configure the set of capabilities that guests should drop, but came across a few web pages suggesting these were set in stone in the code is this correct, or is there a means to tweak this set from the host via the xml config or a virsh command ?
any hint / pointer to documentation in this respect would be most appreciated
That's correct, there's no means to configure this from the libvirt XML config. The containers will be started with the maximal set of capabilities we can reasonably allow. The app inside the container can drop bits they don't require
Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Wed, Jan 29, 2014 at 03:33:23PM +0100, Thierry Parmentelat wrote:
Thanks for the feedback I take it from your answer that there is no current plan in the direction of adding this as a feature, right ?
I'm not aware of anyone currently working on this feature.
In this case, how would you welcome pull requests if we managed to add this on our side ?
Well it seems the sf.net LXC tools support a 'lxc.caps.drop' flag to list caps that should be removed. Since we'd like to have equivalent or greater features in libvirt, it seems that it would be in scope to add such a config option to libvirt XML. So if you'd like to work on it feel free to make a proposal for XML config & patch. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
Thierry Parmentelat