The solution is to simply: for CAP in net_admin net_raw sys_admin; do vzctl set 114 --capability ${CAP}:on --save ; done It was http://forum.openvz.org/index.php?t=msg&goto=4214& which got me on the right track. /Benny