--cap-add not working with lxc mode


I am using Docker in lxc mode (i.e. starting the daemon with “-e lxc” option) to be able to assign fixed IP addresses to containers.
I tought I would replace the dreaded “–privileged” option with “–cap-add” instead to increase the security level. However, it does not seem to work.
I get the following:

docker run --cap-add=NET_ADMIN -t -i -P fedora bash
2014/09/12 13:07:34 drop capabilities operation not permitted
lxc-start: The container failed to start.
lxc-start: Additional information can be obtained by setting the --logfile and --log-priority options.

Using “–cap-add=ALL” gives the same error message.
Using “–cap-add=MKNOD” or “–cap-add=CHOWN” instead, the container starts without errors.

Is it a bug or is the cap-add feature not completely compatible with the lxc mode for network capabilities?
I am working on a Fedora 20 system.

Thanks for any inputs.

testing using native on a freshly install fedora 20 had generalised permission issues which were fixed up updating to docker-io 1.2.0 and the latest selinux-policy.

next up, lxc

and… confirmed. could you please raise an issue on github? I /think/ the goal is for the different execution engines to be identical - at minimum we want to confirm this is expected, and document it.

Thanks for your answer.
Will bring this issue to github.