Ah, I see the problem. src/lxc/caps.c:lxc_caps_up() isn't detecting supported capabilities correctly. When it gets -EINVAL for cap_get_flags(), it should take that as a hint that the capability is not supported by the kernel. Instead it exits with failure.
The reason you're not seing this on redhat/centos is, presumably, that its package was built where /usr/include/linux/capability.h was older (matching its older kernel). On precise, capability.h includes up to cap 35 which must not be supported in the kernel. This is the unfortunate effect of the fact that /sys/security/capability/ was never merged. (Now that I'm listed as maintainer, maybe I should re-try to merge that) But lxc can work around this better. I'll send out a patch for this. (When I can - may not be until end of next week, so if someone else wants to, please feel free) -serge Quoting Sam Wang (zhefw...@gmail.com): > firstly,I execute lxc-setcap as root,then I execute lxc-execute as normal > user,but it turns out to be error which says it doesn't run with proper > privilege.what'more ,it still doesn't work even after I execute lxc-setuid > as root. > However,when I use lxc in centos and redhat,after I execute lxc-setcap,l > can execute lxc-execute without privilege. > > 2012/6/29 Serge Hallyn <serge.hal...@canonical.com> > > > Quoting Sam Wang (zhefw...@gmail.com): > > > I know it can not work with shell scripts and it can not work with binary > > > executable file. > > > > It can work with binary executables, but of course the capabilities won't > > persist across execve, which may be what you meant. > > > > > such as lxc-execute.I used lxc in centos 6.2 and red hat > > > 6.1,it did work. > > > > Then please define 'did not work' in ubuntu. > > > > > btw: the version of lxc is 0.7.5 installed by apt-get install > > > > In any case, you'll "soon" be able to user user namespaces to start > > containers without needing privilege (a start to the lxc patch is at > > https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns, > > but the kernel patchset, at > > http://kernel.ubuntu.com/git/serge/quantal-userns.git , > > needs some more features). > > > > -serge > > > > > > -- > > Zhefeng Wang > University of Science and Technology of China > Email:zhefw...@gmail.com > > In God we trust, all others bring data ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
