[systemd-devel] systemd-nspawn create container under unprivileged user

Djalal Harouni tixxdz at opendz.org
Wed Feb 11 04:53:40 PST 2015

On Tue, Feb 10, 2015 at 12:52:34PM +0100, Lennart Poettering wrote:
> On Thu, 05.02.15 02:03, Vasiliy Tolstov (v.tolstov at selfip.ru) wrote:
> > Hello!
> > Does it possible to create container as regular user? Oh what capabilities
> > i need to add to create container not using root?
> Invoking containers without privileges is not supported by nspawn, and
> this is unlikely to change, as I fail to see any strong usecase for
> this... 
> If somebody can englighten me about the usecase for allowing
> containers to be run by unprivileged users, I'd be willing to change
> my mind though...
A quick argument against it, IOW just wait and see!

As unprivileged we don't have CAP_SYS_MODULE set, but inside
unprivileged containers we are root, and a call to cap_get_flag() on
CAP_SYS_MODULE will return CAP_SET! but hey in reality this is not true,
we don't have CAP_SYS_MODULE... this will confuse programs running
inside containers, we'll have to add more code paths for this special
case... and not only CAP_SYS_MODULE, perhaps there are other cases...

Djalal Harouni

More information about the systemd-devel mailing list