LXC drop capabilities to unprivileged containers

swl · June 15, 2023, 1:18pm

Hi,

I’m working on Ubuntu and Rocky Linux with LXD LXCs containers in Debian 11.

I don’t want my containers to be privileged. But I need my container to use some kernel capabilities like LINUX_IMMUTABLE.

I’ve done a lot of tests (with keep and drop) I cannot get a result.
It’s only working when I set the container as privileged.

Is that possible to drop a capability to be able to exec chattr +i mydocument.txt for example in an unprivileged container ?

Configuration used :

[...]
raw.lxc: |
  lxc.cap.drop = linux_immutable
[...]

It’s working on Docker with this configuration in compose (but in this case I need LXC) :

[...]
cap_add:
  - LINUX_IMMUTABLE
[...]

Thank you for your help.

Best regards.

f-bn · June 15, 2023, 4:13pm

I think the problem is the same as mentionned here : How to add CAP_IPC_LOCK capabilities to container? - #4 by stgraber

swl · June 16, 2023, 7:54am

Hi,

Thank your for you answer. It seems to be the same subject.

Then, unprivileged Docker containers has more privileges than unprivileged LXC containers ? Is that right ? And if I want to drop capabilities I need to be in privileged mode ?

Then, why there is a lxc.drop option if we must be in privileged mode (which drops everything) ? Is there dropping capabilities that didn’t needs privileged mode ?

Is adding security.privileged=True the same level as a unprivileged Docker container or is it totally different ?

Thank you for your help.

Best regards

f-bn · June 16, 2023, 8:37am

The main difference is related to the usage of user namepsace by default with LXD. Docker containers are privileged even without the flag --privileged, because root inside a container is the same as root on the host. With user namespace, root inside a container is equivalent to a “virtual user” without much privileges on the host.

I guess LXC containers don’t need capabilities drop (like Docker) since most of them can’t be used with user namespacing nowadays I think. The option for dropping capabilities is probably there for privileged containers, or maybe for legacy reasons, I don’t really know.

And you want more details, you have two talks here :
https://www.youtube.com/watch?v=SvZK8LxEXSs
https://www.youtube.com/watch?v=5KydVxAvLOA

swl · June 16, 2023, 10:12am

Thanks a lot for your answers.
It helped me to get a better understanding of the issues related capacity dropping.

Best regards.

tomp · June 20, 2023, 9:56am

That is indeed correct.