[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed May 4 08:08:14 CEST 2016


Phil Whineray <phil at firehol.org> changed:

           What    |Removed                     |Added
                 CC|                            |phil at firehol.org

--- Comment #9 from Phil Whineray <phil at firehol.org> ---
Regarding the kernel patch, it requires the following sequence of system calls,
so that a mapping for root is available before the network namespace is

/* Setup any mappings */

I expect lxc, since it predates the patch just unshares the network namespace
at the same time as the user namespace, which will not have the desired effect
in this case.

I don't know how lxc works; are unprivileged containers started direct from the
command line or via a daemon? If the former, could someone try running it with
"unshare -r"?

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160504/60bb6ba1/attachment.html>

More information about the netfilter-buglog mailing list