Re: [Lxc-users] lxc-setcap doesn't work in ubuntu 12.04

Quoting Sam Wang (zhefw...@gmail.com): when I use lxc in ubuntu 12.04,lxc-setcap doesn't work. can someone tell me why? It cannot work. It sets file capabilities on shell scripts, which cannot work just as setuid shell scripts cannot work. -serge

Re: [Lxc-users] Problem with pthread_create SCHED_RR - Operation not permitted

Quoting Hans Feldt (hans.fe...@ericsson.com): Hi, As the subject says, pthread_create for SCHED_RR fails with EPERM(1) in my container. Program run as root. Same program run directly on host works. I tried disabling the apparmor stuff but no luck. host: ubuntu 12.04 container:

Re: [Lxc-users] lxc-setcap doesn't work in ubuntu 12.04

Quoting Sam Wang (zhefw...@gmail.com): I know it can not work with shell scripts and it can not work with binary executable file. It can work with binary executables, but of course the capabilities won't persist across execve, which may be what you meant. such as lxc-execute.I used lxc in

Re: [Lxc-users] lxc-setcap doesn't work in ubuntu 12.04

firstly,I execute lxc-setcap as root,then I execute lxc-execute as normal user,but it turns out to be error which says it doesn't run with proper privilege.what'more ,it still doesn't work even after I execute lxc-setuid as root. However,when I use lxc in centos and redhat,after I execute

Re: [Lxc-users] lxc-setcap doesn't work in ubuntu 12.04

Ah, I see the problem. src/lxc/caps.c:lxc_caps_up() isn't detecting supported capabilities correctly. When it gets -EINVAL for cap_get_flags(), it should take that as a hint that the capability is not supported by the kernel. Instead it exits with failure. The reason you're not seing this on

[Lxc-users] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP

The following patch allows me to run lxc-execute -n p1 -- /bin/ls as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git. Thanks, Sam, for pointing this out. CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel actually supports. If the kernel supports fewer

Re: [Lxc-users] [lxc-devel] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP

On 06/29/2012 11:41 AM, Serge Hallyn wrote: The following patch allows me to run lxc-execute -n p1 -- /bin/ls as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git. Thanks, Sam, for pointing this out. CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel

Re: [Lxc-users] [lxc-devel] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP

Quoting Stéphane Graber (stgra...@ubuntu.com): On 06/29/2012 11:41 AM, Serge Hallyn wrote: The following patch allows me to run lxc-execute -n p1 -- /bin/ls as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git. Thanks, Sam, for pointing this out. CAP_LAST_CAP in

[Lxc-users] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP (v2)

CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel actually supports. If the kernel supports fewer capabilities, then a cap_get_flag for an unsupported capability returns -EINVAL. Recognize that, and don't fail when initializing capabilities when this happens, rather accept

Re: [Lxc-users] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP (v2)

On 06/29/2012 12:14 PM, Serge Hallyn wrote: CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel actually supports. If the kernel supports fewer capabilities, then a cap_get_flag for an unsupported capability returns -EINVAL. Recognize that, and don't fail when