libvirt users - Jan 2014 - dropping capabilities in lxc containers

Hi there

I’m not quite proficient with libvirt yet, and have been using it so far
primarily to manage lxc containers
I was hoping to find a means to configure the set of capabilities that guests
should drop, but came across a few web pages suggesting these were set in stone
in the code
is this correct, or is there a means to tweak this set from the host via the xml
config or a virsh command ?

any hint / pointer to documentation in this respect would be most appreciated

— Thierry

On Wed, Jan 29, 2014 at 09:43:25AM +0100, Thierry Parmentelat
wrote:
> Hi there
> 
> I’m not quite proficient with libvirt yet, and have been using it
> so far primarily to manage lxc containers
> I was hoping to find a means to configure the set of capabilities
> that guests should drop, but came across a few web pages suggesting
> these were set in stone in the code
> is this correct, or is there a means to tweak this set from the host
> via the xml config or a virsh command ?
> 
> any hint / pointer to documentation in this respect would be most
> appreciated
That's correct, there's no means to configure this from the libvirt
XML config. The containers will be started with the maximal set of
capabilities we can reasonably allow. The app inside the container
can drop bits they don't require

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Thanks for the feedback
I take it from your answer that there is no current plan in the direction of
adding this as a feature, right ?
In this case, how would you welcome pull requests if we managed to add this on
our side ?

Many thanks — Thierry

On 29 Jan 2014, at 14:27, Daniel P. Berrange <berrange@redhat.com> wrote:
> On Wed, Jan 29, 2014 at 09:43:25AM +0100, Thierry Parmentelat wrote:
>> Hi there
>> 
>> I’m not quite proficient with libvirt yet, and have been using it
>> so far primarily to manage lxc containers
>> I was hoping to find a means to configure the set of capabilities
>> that guests should drop, but came across a few web pages suggesting
>> these were set in stone in the code
>> is this correct, or is there a means to tweak this set from the host
>> via the xml config or a virsh command ?
>> 
>> any hint / pointer to documentation in this respect would be most
>> appreciated
> 
> That's correct, there's no means to configure this from the libvirt
> XML config. The containers will be started with the maximal set of
> capabilities we can reasonably allow. The app inside the container
> can drop bits they don't require
> 
> Regards,
> Daniel
> -- 
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/
:|
> |: http://libvirt.org              -o-             http://virt-manager.org
:|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/
:|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc
:|