Hi All,
To avoid using security.privileged, I’m trying to grant a container the CAP_NETADMIN capability solely to allow it to run ipvsadm inside the container.
However, I’m having difficulty finding a straightforward way to configure this.
Thanks for your help.
D.
Have you tried setting these params?
raw.apparmor: |
capability net_admin,
Unprivileged containers have all capabilities enabled.
However the scope of those capabilities is limited to what the container owns and what the container deems safe for unprivileged containers to use.
It sounds like ipvsadm is performing some kind of operation that the kernel doesn’t allow for someone who has cap_net_admin within a user namespace and so requires system-wide privileges instead.
In some cases, those are kernel bugs which can be resolved, in some other, those are capabilities that would allow a container to bypass its confinement and so are deemed unsafe for exposure to unprivileged containers.
Thank you, the answer makes sense for the ipvsadm part.
I’m trying to do things in demo mode, I can live with the privileged mode.
Merci Stéphane.
If you don’t mind me asking for some clarification on this issue and others that might show up.
With incus I tried
config set test config.security.capabilities CAP_NET_ADMIN
Error: Invalid config: Unknown configuration key: config.security.capabilities
but after setting the config to point at the hosts
tun:
path: /dev/net/tun
type: unix-char
tun file, with proper permissions in the container I can create tun devices.
With Incus, if our configs point to the hosts devices, then the the container with proper permissions can freely interact with the host?
The valid security config settings are listed here. You do not give a config. prefix to them as they are all implicitly under the config section.