this blog post https://brauner.github.io/2019/02/12/privileged-containers.html … -- highlights something commonly misunderstood: Docker's --privileged is /not/ the same as an "privileged container" in general container parlance, and i wish they'd change the naming!
-
-
an LXC-specific question. unprivileged containers are spawned with the CLONE_NEWUSER flag https://github.com/lxc/lxc/blob/d0b950440a8e5f9984520ab8c88e22a37a5469bc/src/lxc/start.c#L1755 … puts them in a new user ns. even if idmaps overlap (no security.idmap.isolated), cap in one container can't be used in another, right?
-
you can't use capabilities on objects that aren't inside your user namespace; but for inodes, which aren't really associated with a specific namespace, the rule is that an inode is contained by every user namespace that maps its UID and GID, see capable_wrt_inode_uidgid()
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.