Hello, I am trying to run an unprivileged LXC container application which needs CAP_NET_ADMIN capability. However, only one process in the container needs that capability.
When I configure lxc.cap.keep = CAP_NET_ADMIN; all the processes running inside the container application gets CAP_NET_ADMIN capability. For testing purpose, when I executed “sleep” from container shell, that new process also got CAP_NET_ADMIN capability.
Is there anyway, I can assign CAP_NET_ADMIN to only one process in the LXC container, and 0 capabilities to any other processes in the container?