Installing the LXD snap from edge channel (for fscaps support), on the current 4.4 kernel:
root@djanet:~# lxc launch ubuntu-daily:cosmic c1 To start your first container, try: lxc launch ubuntu:18.04 Creating c1 Starting c1 root@djanet:~# lxc exec c1 -- setcap cap_net_raw+ep /usr/bin/mtr-packet Failed to set capabilities on file `/usr/bin/mtr-packet' (Operation not permitted) The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file As expected on that kernel, the caps were lost when the container got uid shifted and manually setting the caps from within the container fails. After switching to 4.4.0-132: root@djanet:~# lxc exec c1 -- setcap cap_net_raw+ep /usr/bin/mtr-packet root@djanet:~# lxc exec c1 -- getcap /usr/bin/mtr-packet /usr/bin/mtr-packet = cap_net_raw+ep ** Tags removed: verification-needed-xenial ** Tags added: verification-done -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1778286 Title: Backport namespaced fscaps to xenial 4.4 Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Bug description: SRU Justification Impact: Support for using filesystem capabilities in unprivileged user namespaces was added upstream in Linux 4.14. This is a useful feature that allows unprivileged containers to set fscaps that are valid only in user namespaces where a specific kuid is mapped to root. This allows for e.g. support for Linux distros within lxd which make use of filesystem capabilities. Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file capabilities" and any subsequent fixes to xenial 4.4. Test Case: Test use of fscaps within a lxd container. Regression Potential: This has been upstream since 4.14 (and thus is present in bionic), and the backport to xenial 4.4 was straightforward, so regression potential is low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1778286/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
