Privileged actions in unprivileged containers

Session information has not yet been published for this event.


One Line Summary

How to selectively allow privileged actions from otherwise unprivileged containers?


Unprivileged containers, that is, containers which use a user namespace to map their UIDs and GIDs to an unprivileged range, have very limited kernel privileges.

Those privileges are no higher than what a normal unprivileged user would have on the system and are restricted to the container’s namespaces.
Anything which isn’t owned by the container and isn’t part of a namespace will typically be rejected by the kernel.

Some common examples include:
– Creating device nodes
– Mounting filesystems
– Setting up loop devices
– Raising a process nice level
– Raising the OOM score of a process

In this presentation, we’ll go over the most common sources of frustration and look at a few approaches that could be used for the container runtime to decide whether those privileged actions should be allowed or not.

Presentation Materials



  • Mugshot

    Stéphane Graber

    Canonical Ltd.


    Stéphane Graber works as the technical lead for LXD at Canonical Ltd. He is the upstream project leader for LXC and LXD and a frequent speaker and track leader at the various containers and other Linux related events.

    Stéphane is also a long time contributor to the Ubuntu Linux distribution as an Ubuntu Core Developer and he currently sits on the Ubuntu Technical Board.

    On his spare time, Stéphane helps organize a yearly security conference and contest in Montréal, Northsec, where his knowledge of Linux and network infrastructure is used to simulate the most complex of environments for the contestants.