[systemd-devel] systemd-nspawn create container under unprivileged user

Lennart Poettering lennart at poettering.net
Tue Feb 10 03:56:45 PST 2015

On Thu, 05.02.15 15:48, Vasiliy Tolstov (v.tolstov at selfip.ru) wrote:

> 2015-02-05 12:44 GMT+03:00 Alban Crequy <alban.crequy at gmail.com>:
> > Manual page namespaces(7):
> >
> >        Creation of new namespaces using clone(2) and unshare(2) in most
> > cases
> >        requires the CAP_SYS_ADMIN capability.  User namespaces are the
> >        exception: since  Linux 3.8, no privilege is required to create a
> > user
> >        namespace.
> >
> So as i understand i can't create full featured container with network
> under non root user (and not have cap_sys_admin)

unprivileged containers are unlikely to ever support that. creating a
network interface on the host will necessary require privileges. If
you hence want "full network" support (by which i assume you mean veth
links and stuff), then you are generally out of luck...

You can run nspawn containers without CAP_SYS_ADMIN via nspawn's
--drop-capability=CAP_SYS_ADMIN switch. However, YMMY, as the code you
run inside of the container must be Ok with that not having those
perms and systemd at least until very recently didn't like that at


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list