Is is possible to enable sys_boot lxc cap? #2391
Comments
|
Basically and obiously, sys_cap_boot is called there and on a container, do not touch to the host.... |
|
And implementation of the restart is there : https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/pid_namespace.c#n281 |
|
Good news; according to @jpoimboe:
Green light on this, then! |
|
It is better, nevertheless to have this kind of safeguard at a kernel level, did you suceeded in getting back in touch with rhel ppl ? |
|
Josh Poimboeuf is one of the RH guys (specifically, working on libvirt-lxc integration :-)) |
|
Oh wait, it looks like the reboot capability check isn't present in 0.7.5 (which is the version currently recommended to run Docker, since it ships with Ubuntu 12.04 LTS); it was added only in 0.8 it seems. This is the check in latest version: It's in 0.8: But not 0.7.5: So back to square one. Maybe Docker could do the capability check somehow... That requires some extra steps. |
|
Oops, sorry @jpetazzo. Though my statement is still always true for libvirt-lxc ;-) The capability check and drop could be done in dockerinit. In fact my docker libvirt branch (which I'm currently working on rebasing to 0.7-rc4) already drops capabilities from dockerinit, so it's halfway there at least. |
|
Any reason why it should be done in dockerinit vs. at "runtime detection" (as is done for other things)? |
|
I think the reboot capability checking has to be done from within a container. Here's an lxc tools comment describing it: |
|
Right, makes sense. So |
Is is possible not to drop sys_boot lxc cap ?
This allow upstart and other /sbin/init based containers to support 'shutdown' and 'reboot' from within
See and #1960 & #2276
cc @regilero
The text was updated successfully, but these errors were encountered: