Quoting Christian Brauner (christianvanbrau...@gmail.com): > Here is the original problem which I'm still > experiencing with lxc 1.1: > > > w/ userns: > > [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping > > Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted) > > [root at fedora2 ~]# id > > uid=0(root) gid=0(root) groups=0(root) > > > > w/o userns: > > [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping > > [root at fedora2 ~]# getcap /usr/bin/ping > > /usr/bin/ping = cap_net_admin,cap_net_raw+ep > > [root at fedora2 ~]# id > > uid=0(root) gid=0(root) groups=0(root) > > > > every yum install <pkg> where the pkg has file capabilities fails with > > > > Error unpacking rpm package <PKG> > > error: unpacking of archive failed on file <FILE>: cpio: cap_set_file > > > > is there a way to get this working? > > (posted by Stephan Sachse) > > The relevant threads are: > https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-February/008220.html > > and: > https://www.redhat.com/archives/libvir-list/2014-February/msg01545.html > > Has there been a solution to this problem / an acceptable patch? Running > Fedora > Rawhide unprivileged trying to install iputils still shows this behaviour.
The only way I can see this being done safely would be to have capability sets be annotated with a kuid_t representing the root in the namespace of the tasks who wrote the capabilities. Noone is working on this. If you want it, you'll need to write the patch and advocate for it. -serge _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
