-
Welcome
-
Subscribe to
Namespaced file capabilities update
This proposal has been rejected.
One Line Summary
Why can't containers use file capabilities yet
Abstract
Root in unprivileged containers is not allowed to write file capabilities for files over which it is privileged. This means that programs wanting to run in containers cannot rely on file capabilities being available as a method of starting with privilege. Instead they must be able to fall back on being setuid-root.
For some time we’ve worked toward being able to provide this functionality. This will be a brief update on the progress of that work.
Speaker
-
Biography
I work on the virtualization stack for Ubuntu and am one of the maintainers for lxc.