Rework old article

_posts/2021-07-14-lxc-drop-capsysadmin.md

@@ -1,10 +1,9 @@
 ---
 layout: post
-slug: hardening-lxc-containers-running-systemd
+slug: lxc-drop-capsysadmin
 status: published
 sitemap: true
-title: Some LXC hardening
-description: An epic trying to drop CAP\_SYS\_ADMIN
+title: Dropping CAP_SYS_ADMIN in LXC
 category: developpement
 tags:
 - security
@@ -147,14 +146,16 @@ lxc.hook.mount = /usr/local/bin/mount-cgroup
 And now, your container is working !
 
 But instead of creating a capabilities blacklist, can we create a capabilities whitelist ?
+Yes, we can:
 
 ```ini
 lxc.cap.keep =
 lxc.cap.keep = chown ipc_lock ipc_owner kill net_admin net_bind_service
 ```
 
-You can find the whole capability list in the dedicated man page [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) and how to use them with LXC in the LXC man page [lxc.container.conf(5)](https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAV).
+If you want to dig the question further, you can find the whole capability list in the dedicated man page [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) and how to use them with LXC in the LXC man page [lxc.container.conf(5)](https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAV). Have fun!
 
+<!--
 ## cgroups: group your processes
 
 [Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
@@ -174,4 +175,4 @@ Michael Kerrisk wrote an interesting [serie of articles about namespaces](https:
 
 > The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
 
-
+-->