Hi All,
To avoid using security.privileged, I’m trying to grant a container the CAP_NETADMIN capability solely to allow it to run ipvsadm inside the container.
However, I’m having difficulty finding a straightforward way to configure this.
Thanks for your help.
D.
Have you tried setting these params?
raw.apparmor: |
capability net_admin,
Unprivileged containers have all capabilities enabled.
However the scope of those capabilities is limited to what the container owns and what the container deems safe for unprivileged containers to use.
It sounds like ipvsadm is performing some kind of operation that the kernel doesn’t allow for someone who has cap_net_admin within a user namespace and so requires system-wide privileges instead.
In some cases, those are kernel bugs which can be resolved, in some other, those are capabilities that would allow a container to bypass its confinement and so are deemed unsafe for exposure to unprivileged containers.
Thank you, the answer makes sense for the ipvsadm part.
I’m trying to do things in demo mode, I can live with the privileged mode.
Merci Stéphane.