New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is is possible to enable sys_boot lxc cap? #2391
Comments
Basically and obiously, sys_cap_boot is called there and on a container, do not touch to the host.... |
And implementation of the restart is there : https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/pid_namespace.c#n281 |
Good news; according to @jpoimboe:
Green light on this, then! |
It is better, nevertheless to have this kind of safeguard at a kernel level, did you suceeded in getting back in touch with rhel ppl ? |
Josh Poimboeuf is one of the RH guys (specifically, working on libvirt-lxc integration :-)) |
Oh wait, it looks like the reboot capability check isn't present in 0.7.5 (which is the version currently recommended to run Docker, since it ships with Ubuntu 12.04 LTS); it was added only in 0.8 it seems. This is the check in latest version: It's in 0.8: But not 0.7.5: So back to square one. Maybe Docker could do the capability check somehow... That requires some extra steps. |
Oops, sorry @jpetazzo. Though my statement is still always true for libvirt-lxc ;-) The capability check and drop could be done in dockerinit. In fact my docker libvirt branch (which I'm currently working on rebasing to 0.7-rc4) already drops capabilities from dockerinit, so it's halfway there at least. |
Any reason why it should be done in dockerinit vs. at "runtime detection" (as is done for other things)? |
I think the reboot capability checking has to be done from within a container. Here's an lxc tools comment describing it:
|
Right, makes sense. So |
Is is possible not to drop sys_boot lxc cap ?
This allow upstart and other /sbin/init based containers to support 'shutdown' and 'reboot' from within
See and #1960 & #2276
cc @regilero
The text was updated successfully, but these errors were encountered: