You are not logged in.
Pages: 1
Hi,
I am running a home server on Arch using several nspawn containers for filesystem separation, not for extra security purpose.
I wanted to run a privileged docker container inside one nspawn container. I followed the ArchWiki. Created nspawn service override:
[Service]
Environment=SYSTEMD_NSPAWN_USE_CGNS=0
and .nspawn file with:
[Exec]
Capability=all
SystemCallFilter=add_key keyctl
[Files]
Bind=/sys/fs/cgroup
When I tried to run "docker run --privileged nameofcontainer" I got "apply caps - Operation permitted". So I figured out, it could be that capset syscall is not in CallFilter list.
So I edited the .nspawn file adding capset syscall to SystemCallFilter like this:
[Exec]
Capability=all
SystemCallFilter=add_key keyctl capset
[Files]
Bind=/sys/fs/cgroup
However I still run into the same error. Is there something really easy, that I am just missing.
Running docker in unprivileged mode works
Last edited by marhycz (2018-12-09 21:00:25)
Offline
This is the exact output from running
docker run --privileged
docker: Error response from daemon: OCI runtime create failed: container_linux.go:337: starting container process caused "apply caps: operation not permitted": unknown.
ERRO[0000] error waiting for container: context canceled
Offline
Pages: 1