Hello to the community, thanks by advance.
I am playing around ‘basic’ container security and I manage to build everything I wanted with incus only for one case.
I would like to build a container either lxc or oci, (i have tried both without success) with shared host pid and user namespace with CAP_SYS_PTRACE. The goal is to create a lab for students.
With docker is quite an easy cli flag, however I really want to use incus that’s why I’m here.
Also I am not sure if it is possible with system containers without tricking the init system, I did not manage to get rid of the init error with debian.
For OCI containers I’ve tried to modify manually config.json to get rid of namespaces I do not want to clone and adding the SYS_PTRACE capability. However it do not seems to be applied when only modifying config.json, so I tried to give lxc.raw values but this have’nt work too.
I am asking if there is a known limitation with incus on sharing PID ns with host ? Also if someone can disgress about the config.json and the correct way of configuring oci containers with incus, it seems to be read at each start of container but I was not able to see changes after modification…
If there is a known need for peculiar modifications and support I would be happy to contribute!
Thanks to everyone!