How to add CAP_IPC_LOCK capabilities to container?

Hi,
I need to add CAP_IPC_LOCK capabilities to container.
Is there a way to add this capabilities as a CLI parameters or as daemon settings for all containers which running on specific host?

I’m working with LXD 2.17.

Thanks,
Vitaliy

LXD doesn’t drop that particular capability, so my guess is simply that the kernel doesn’t have it allowed for unprivileged users/containers to use.

If you absolutely must have it, then you’ll need to make your container privileged.

Hello Stephane,

I don’t want to run my containers privileged.

But I got the same output from command "capsh --print " on both containers unprivileged and privileged like:

Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37
Securebits: 00/0x0/1’b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

However my application IB_WRITE_BW which required CAP_IPC_LOCK capabilities can run only in container with profile settings - ‘security.privileged: “true”’.

PS. On same host my application working properly in docker without privileged mode with command line:

“docker run -itd --cap-add=IPC_LOCK --device=/dev/infiniband/uverbs1 …”

Thanks,
Vitaliy

Even without --privileged, Docker containers will run in what LXD calls privileged mode, that is, root in the container will be real root, rather than an unprivileged user mapped to uid/gid 0 in the container.

As you saw above, LXD itself doesn’t drop that capability for you, it’s the kernel which ultimately decides not to allow it against your container’s user namespace.