[systemd-devel] systemd-nspawn create container under unprivileged user

Lennart Poettering lennart at poettering.net
Wed Feb 11 08:06:56 PST 2015


On Wed, 11.02.15 13:53, Djalal Harouni (tixxdz at opendz.org) wrote:

> On Tue, Feb 10, 2015 at 12:52:34PM +0100, Lennart Poettering wrote:
> > On Thu, 05.02.15 02:03, Vasiliy Tolstov (v.tolstov at selfip.ru) wrote:
> > 
> > > Hello!
> > > Does it possible to create container as regular user? Oh what capabilities
> > > i need to add to create container not using root?
> > 
> > Invoking containers without privileges is not supported by nspawn, and
> > this is unlikely to change, as I fail to see any strong usecase for
> > this... 
> >
> > If somebody can englighten me about the usecase for allowing
> > containers to be run by unprivileged users, I'd be willing to change
> > my mind though...
> A quick argument against it, IOW just wait and see!
> 
> As unprivileged we don't have CAP_SYS_MODULE set, but inside
> unprivileged containers we are root, and a call to cap_get_flag() on
> CAP_SYS_MODULE will return CAP_SET! but hey in reality this is not true,
> we don't have CAP_SYS_MODULE... this will confuse programs running
> inside containers, we'll have to add more code paths for this special
> case... and not only CAP_SYS_MODULE, perhaps there are other cases...

Well, but we could drop CAP_SYS_MODULE both before and after setting
up the userns, so that the cap is missing fro the PID both inside and
outside of it...

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list