[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed May 4 08:08:14 CEST 2016
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
Phil Whineray <phil at firehol.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at firehol.org
--- Comment #9 from Phil Whineray <phil at firehol.org> ---
Regarding the kernel patch, it requires the following sequence of system calls,
so that a mapping for root is available before the network namespace is
created:
unshare(CLONE_NEWUSER);
/* Setup any mappings */
unshare(CLONE_NEWNET);
I expect lxc, since it predates the patch just unshares the network namespace
at the same time as the user namespace, which will not have the desired effect
in this case.
I don't know how lxc works; are unprivileged containers started direct from the
command line or via a daemon? If the former, could someone try running it with
"unshare -r"?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160504/60bb6ba1/attachment.html>
More information about the netfilter-buglog
mailing list