--- docs/drvlxc.html.in | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index fc4bc20..4a634c5 100644 --- a/docs/drvlxc.html.in +++ b/docs/drvlxc.html.in @@ -540,6 +540,33 @@ debootstrap, whatever) under /opt/vm-1-root: </domain> </pre> +<h2><a name="capabilities">Altering the available capabilities</a></h2> + +<p> +By default the libvirt LXC driver drops some capabilities among which CAP_MKNOD. +However <span class="since">since 1.2.6</span> libvirt can be told to keep or +drop some capabilities using a domain configuration like the following: +</p> +<pre> +... +<features> + <capabilities> + <mknod state='on'/> + <sys_chroot state='off'/> + </capabilities> +</features> +... +</pre> +<p> +The capabilities children elements are named after the capabilities as defined in +<code>man 7 capabilities</code>. An <code>off</code> state tells libvirt to drop the +capability, while an <code>on</code> state will force to keep the capability even though +this one is dropped by default. +</p> +<p> +Note that allowing capabilities that are normally dropped by default can seriously +affect the security of the container and the host. +</p> <h2><a name="usage">Container usage / management</a></h2> -- 1.8.4.5 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list