Privileged actions in unprivileged containers


One Line Summary

How to selectively allow privileged actions from otherwise unprivileged containers?


Unprivileged containers, that is, containers which use a user namespace to map their UIDs and GIDs to an unprivileged range, have very limited kernel privileges.

Those privileges are no higher than what a normal unprivileged user would have on the system and are restricted to the container’s namespaces.
Anything which isn’t owned by the container and isn’t part of a namespace will typically be rejected by the kernel.

Some common examples include:
– Creating device nodes
– Mounting filesystems
– Setting up loop devices
– Raising a process nice level
– Raising the OOM score of a process

In this presentation, we’ll go over the most common sources of frustration and look at a few approaches that could be used for the container runtime to decide whether those privileged actions should be allowed or not.

Presentation Materials



  • Mugshot

    Stéphane Graber

    Canonical Ltd.


    Stéphane Graber works as the technical lead for LXD at Canonical Ltd. He is the upstream project leader for LXC and LXD and a frequent speaker and track leader at the various containers and other Linux related events.

    Stéphane is also a long time contributor to the Ubuntu Linux distribution as an Ubuntu Core Developer and he currently sits on the Ubuntu Technical Board.

    On his spare time, Stéphane helps organize a yearly security conference and contest in Montréal, Northsec, where his knowledge of Linux and network infrastructure is used to simulate the most complex of environments for the contestants.