Hey Serge, On Thu, 2014-07-10 at 14:13 +0000, Serge Hallyn wrote: > Hi Michael,
> https://bugs.launchpad.net/bugs/1339781 claims that > """creating a centos 7 container mostly worked using the template, but when > it was launched, it was really slow to run through most of the sysinit > tasks, and neither systemd-journald nor systemd-logind could start. The > error was something like "Error at step CAPABILITIES".""" > and that allowing setpcap fixes it. Two questions: > 1. Why is setpcap being dropped? It only allows moving caps from bounding > set to pI and dropping more caps from bounding set. It actually seems less > safe to disable it than to keep it enabled, as privileged tasks will be > unable to set things up right and run under a bad config - a la sendmail > capabilities bug. > 2. Would disabling the systemd journal service also fix this? Right now, the biggest problem with the CentOS template is that it has not been adapted for systemd yet. There is some preliminary stuff in there but I just got done downloading the CentOS 7 images and haven't had time to even look at it yet and won't really have a chance over the next couple of weeks. I'm not surprised at all that there have been gotcha's. I'll have to merge some of Dwight's work with the Oracle template and my stuff with the Fedora template into the CentOS template for CentOS 7. > -serge Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel