this blog post https://brauner.github.io/2019/02/12/privileged-containers.html … -- highlights something commonly misunderstood: Docker's --privileged is /not/ the same as an "privileged container" in general container parlance, and i wish they'd change the naming!
-
-
and the capability check helper for actions that affect the entire system, capable(...), is actually defined based on ns_capable(&init_user_ns, ...)
-
an LXC-specific question. unprivileged containers are spawned with the CLONE_NEWUSER flag https://github.com/lxc/lxc/blob/d0b950440a8e5f9984520ab8c88e22a37a5469bc/src/lxc/start.c#L1755 … puts them in a new user ns. even if idmaps overlap (no security.idmap.isolated), cap in one container can't be used in another, right?
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.