How to pass extra lxc.security config to unprivileged containers?

kamanwu

New Member
May 7, 2023
12
0
1
Code:
lxc.security.syscalls.intercept.mknod: "true"
lxc.security.syscalls.intercept.setxattr: "true"

I tried this, and get:
Code:
vm 240 - unable to parse config: lxc.security.syscalls.intercept.mknod: "true"
vm 240 - unable to parse config: lxc.security.syscalls.intercept.setxattr: "true"
 
Hi,

that's because this is not valid syntax for LXC. (and searching for that, that's for LXD probably?)

Anyway, you need to create a seccomp profile and use that, please see the LXC configuration about that for more information.


thanks. then how to update seccomp? I find the file at: /var/lib/lxc/240/rules.seccomp. I try to remove some rules in denylist, but after rebooting, all rules come back.

UPDATE: I find the place: /usr/share/lxc/config/common.seccomp
 
Last edited:
To run docker inside containers, you just need go to options --> features, and setup "nesting=1"
oh ok! you got it to run in unpriviledged containers w/o setting these?

Code:
lxc.security.syscalls.intercept.mknod: "true"
lxc.security.syscalls.intercept.setxattr: "true"

Probably not. `If using unprivileged, ensure the “keyctl” option is also enabled`.
 
Last edited: