LXC doesn't drop many capabilities, we only really drop mac_admin,
mac_override, sys_time, sys_module and sys_rawio.
That's because we do run workloads which do need the other capabilities,
including cap_sys_admin.
Now in an unprivileged container, having those capabilities will only do you
good against resources owned by the container and will (obviously) not let you
gain any more rights than you had as the owning uid prior to entering the
container.
So you absolutely do have cap_sys_admin and it will let you do a bunch
of things against the network devices owned by your container or mount
entries owned by the container, ... but it will not let you mess with
things that aren't namespaced and that you wouldn't be allowed to touch
as a normal unprivileged user.
The kernel has a nice ns_capable(ns, CAP) function which lets you check
whether you do have the named capability against a given resource, I'm
not aware of a userspace equivalent though.
Having us drop a bunch of capabilities is the wrong answer though and we
won't be doing that.
** Changed in: lxd (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lvm2 in Ubuntu.
https://bugs.launchpad.net/bugs/1576341
Title:
fails in lxd container
Status in lvm2 package in Ubuntu:
Confirmed
Status in lxd package in Ubuntu:
Invalid
Status in open-iscsi package in Ubuntu:
Confirmed
Status in systemd package in Ubuntu:
Confirmed
Bug description:
The ubuntu:xenial image shows 'degraded' state in lxd on initial boot.
$ lxc launch xenial x1
$ sleep 10
$ lxc file pull x1/etc/cloud/build.info -
build_name: server
serial: 20160420-145324
$ lxc exc x1 systemctl is-system-running
degraded
$ lxc exec x1 systemctl --state=failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● dev-hugepages.mount loaded failed failed Huge Pages File System
● iscsid.service loaded failed failed iSCSI initiator daemon
(iscsid)
● open-iscsi.service loaded failed failed Login to default iSCSI
targets
● systemd-remount-fs.service loaded failed failed Remount Root and Kernel
File Systems
● systemd-sysctl.service loaded failed failed Apply Kernel Variables
● lvm2-lvmetad.socket loaded failed failed LVM2 metadata daemon
socket
● systemd-journald-audit.socket loaded failed failed Journal Audit Socket
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
7 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: open-iscsi 2.0.873+git0.3b4b4500-14ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
Uname: Linux 4.4.0-18-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
Date: Thu Apr 28 17:28:04 2016
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
SourcePackage: open-iscsi
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lvm2/+bug/1576341/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
