Thank your for you answer. It seems to be the same subject.
Then, unprivileged Docker containers has more privileges than unprivileged LXC containers ? Is that right ? And if I want to drop capabilities I need to be in privileged mode ?
Then, why there is a lxc.drop option if we must be in privileged mode (which drops everything) ? Is there dropping capabilities that didn’t needs privileged mode ?
Is adding security.privileged=True the same level as a unprivileged Docker container or is it totally different ?
The main difference is related to the usage of user namepsace by default with LXD. Docker containers are privileged even without the flag --privileged, because root inside a container is the same as root on the host. With user namespace, root inside a container is equivalent to a “virtual user” without much privileges on the host.
I guess LXC containers don’t need capabilities drop (like Docker) since most of them can’t be used with user namespacing nowadays I think. The option for dropping capabilities is probably there for privileged containers, or maybe for legacy reasons, I don’t really know.