Quoting Sam Wang (zhefw...@gmail.com):
when I use lxc in ubuntu 12.04,lxc-setcap doesn't work.
can someone tell me why?
It cannot work. It sets file capabilities on shell scripts, which cannot
work just as setuid shell scripts cannot work.
-serge
Quoting Hans Feldt (hans.fe...@ericsson.com):
Hi,
As the subject says, pthread_create for SCHED_RR fails with EPERM(1) in my
container. Program run as root.
Same program run directly on host works. I tried disabling the apparmor stuff
but no luck.
host: ubuntu 12.04
container:
Quoting Sam Wang (zhefw...@gmail.com):
I know it can not work with shell scripts and it can not work with binary
executable file.
It can work with binary executables, but of course the capabilities won't
persist across execve, which may be what you meant.
such as lxc-execute.I used lxc in
firstly,I execute lxc-setcap as root,then I execute lxc-execute as normal
user,but it turns out to be error which says it doesn't run with proper
privilege.what'more ,it still doesn't work even after I execute lxc-setuid
as root.
However,when I use lxc in centos and redhat,after I execute
Ah, I see the problem. src/lxc/caps.c:lxc_caps_up() isn't detecting
supported capabilities correctly. When it gets -EINVAL for
cap_get_flags(), it should take that as a hint that the capability
is not supported by the kernel. Instead it exits with failure.
The reason you're not seing this on
The following patch allows me to run lxc-execute -n p1 -- /bin/ls
as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git.
Thanks, Sam, for pointing this out.
CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel
actually supports. If the kernel supports fewer
On 06/29/2012 11:41 AM, Serge Hallyn wrote:
The following patch allows me to run lxc-execute -n p1 -- /bin/ls
as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git.
Thanks, Sam, for pointing this out.
CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel
Quoting Stéphane Graber (stgra...@ubuntu.com):
On 06/29/2012 11:41 AM, Serge Hallyn wrote:
The following patch allows me to run lxc-execute -n p1 -- /bin/ls
as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git.
Thanks, Sam, for pointing this out.
CAP_LAST_CAP in
CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel
actually supports. If the kernel supports fewer capabilities, then a
cap_get_flag for an unsupported capability returns -EINVAL.
Recognize that, and don't fail when initializing capabilities when this
happens, rather accept
On 06/29/2012 12:14 PM, Serge Hallyn wrote:
CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel
actually supports. If the kernel supports fewer capabilities, then a
cap_get_flag for an unsupported capability returns -EINVAL.
Recognize that, and don't fail when
10 matches
Mail list logo