How to pass extra lxc.security config to unprivileged containers?

[kamanwu]

lxc.security.syscalls.intercept.mknod: "true"
lxc.security.syscalls.intercept.setxattr: "true"

I tried this, and get:

vm 240 - unable to parse config: lxc.security.syscalls.intercept.mknod: "true"
vm 240 - unable to parse config: lxc.security.syscalls.intercept.setxattr: "true"

 

[cheiss]

Hi,

that's because this is not valid syntax for LXC. (and searching for that, that's for LXD probably?)

Anyway, you need to create a seccomp profile and use that, please see the LXC configuration about that for more information.

 

[kamanwu]

Hi,

that's because this is not valid syntax for LXC. (and searching for that, that's for LXD probably?)

Anyway, you need to create a seccomp profile and use that, please see the LXC configuration about that for more information.

thanks. then how to update seccomp? I find the file at: /var/lib/lxc/240/rules.seccomp. I try to remove some rules in denylist, but after rebooting, all rules come back.

UPDATE: I find the place: /usr/share/lxc/config/common.seccomp

 

[Proxygen]

looking at the same config change to run docker inside containers, as opposed to VMs.

is it possible to selective allow these extra permissions per container, not for all containers?

 

[kamanwu]

looking at the same config change to run docker inside containers, as opposed to VMs.

is it possible to selective allow these extra permissions per container, not for all containers?

To run docker inside containers, you just need go to options --> features, and setup "nesting=1"

 

[Proxygen]

To run docker inside containers, you just need go to options --> features, and setup "nesting=1"

oh ok! you got it to run in unpriviledged containers w/o setting these?

lxc.security.syscalls.intercept.mknod: "true"
lxc.security.syscalls.intercept.setxattr: "true"

Probably not. `If using unprivileged, ensure the “keyctl” option is also enabled`.