Drop net_admin and network configuration

maxired

unread,

Dec 11, 2012, 6:53:07 AM12/11/12

to open...@googlegroups.com

Hi everybody,

As you can see in https://github.com/openruko/dynohost/pull/8 ,

I am currently working in the process of isolation between the container and the host.

During this process, I try to remove as much capabilities as possible to the containers.

http://manpages.ubuntu.com/manpages/lucid/man7/capabilities.7.html

One of the capabilities I am currently blocking on is the CAP_NET_ADMIN : "Perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables)."

In order to be able to drop this capabilities, the network configuration should be done from outside the container. With lxc < 0.8, we are unable to set inside the container configuration file the default gateway. This has been added since.

The path on the mailing list : http://comments.gmane.org/gmane.linux.kernel.containers.lxc.devel/992

The commit on github : https://github.com/lxc/lxc/commit/f8fee0e2c399af59ee30c62234b47505fbd93725

Do you think I can rely on the fact that users have a lxc > 0.8 and use this features ?

If not, I am not sure of how I can proceed.

I tried a configuration in which we make the container believe that the whole internet is accessible without router, by activating routing and ProxyArp on the host. I'm currently stuck in this way. The problem is that when I set the ip to be for example "10.0.3.10/0" , I don't have a the route setted. (the same behavior appearsh with "ip addr add 10.0.3.10/0 dev eth0")..

Here is what I expect to have :

~# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 0.0.0.0 255.255.255.255 UH 0 0 0 eth0

For information I got this behavior on ubuntu 12.04 with a 3.2.0-29 kernel

If I add manually this default route inside the container, this works, but can't be done without NET_ADMIN capabilities.

What do you think about this ? Is lxc >= 0.8 OK ? Do you know another solution ? Should be give NET_ADMIN capabilities ?

Max

Romain

unread,

Dec 11, 2012, 10:22:19 AM12/11/12

to open...@googlegroups.com

Hi Max

lxc 0.8.0~rc1 is available in Ubuntu LTS with backports. Did you try with it ?

http://packages.ubuntu.com/search?suite=precise-backports&keywords=lxc

And for other OS, we can add an issue explaining how to add NET_ADMIN capabilitie.

Cheers

Romain

2012/12/11 maxired <git...@maxired.fr>

--

Maxence

unread,

Dec 11, 2012, 1:08:06 PM12/11/12

to Romain, openruko

Hi Romain,

I'm currently trying with the version you mentioned.

I 'll let you know about my experimentation.

I didn't succeed yet to boot successfully the full OS without the net_admin capabilities.

Bests,

Maxired

Maxence

--

Reply all

Reply to author

Forward