LXC drop capabilities to unprivileged containers


I’m working on Ubuntu and Rocky Linux with LXD LXCs containers in Debian 11.

I don’t want my containers to be privileged. But I need my container to use some kernel capabilities like LINUX_IMMUTABLE.

I’ve done a lot of tests (with keep and drop) I cannot get a result.
It’s only working when I set the container as privileged.

Is that possible to drop a capability to be able to exec chattr +i mydocument.txt for example in an unprivileged container ?

Configuration used :

raw.lxc: |
  lxc.cap.drop = linux_immutable

It’s working on Docker with this configuration in compose (but in this case I need LXC) :


Thank you for your help.

Best regards.

I think the problem is the same as mentionned here : How to add CAP_IPC_LOCK capabilities to container? - #4 by stgraber


Thank your for you answer. It seems to be the same subject.

Then, unprivileged Docker containers has more privileges than unprivileged LXC containers ? Is that right ? And if I want to drop capabilities I need to be in privileged mode ?

Then, why there is a lxc.drop option if we must be in privileged mode (which drops everything) ? Is there dropping capabilities that didn’t needs privileged mode ?

Is adding security.privileged=True the same level as a unprivileged Docker container or is it totally different ?

Thank you for your help.

Best regards

The main difference is related to the usage of user namepsace by default with LXD. Docker containers are privileged even without the flag --privileged, because root inside a container is the same as root on the host. With user namespace, root inside a container is equivalent to a “virtual user” without much privileges on the host.

I guess LXC containers don’t need capabilities drop (like Docker) since most of them can’t be used with user namespacing nowadays I think. The option for dropping capabilities is probably there for privileged containers, or maybe for legacy reasons, I don’t really know.

And you want more details, you have two talks here :

Thanks a lot for your answers.
It helped me to get a better understanding of the issues related capacity dropping.

Best regards.

1 Like

That is indeed correct.