Quoting Christian Brauner (christianvanbrau...@gmail.com):
Here is the original problem which I'm still
experiencing with lxc 1.1:
w/ userns:
[root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted)
[root at fedora2 ~]# id
uid=0(root) gid=0(root) groups=0(root)
w/o userns:
[root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
[root at fedora2 ~]# getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+ep
[root at fedora2 ~]# id
uid=0(root) gid=0(root) groups=0(root)
every yum install pkg where the pkg has file capabilities fails with
Error unpacking rpm package PKG
error: unpacking of archive failed on file FILE: cpio: cap_set_file
is there a way to get this working?
(posted by Stephan Sachse)
The relevant threads are:
https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-February/008220.html
and:
https://www.redhat.com/archives/libvir-list/2014-February/msg01545.html
Has there been a solution to this problem / an acceptable patch? Running
Fedora
Rawhide unprivileged trying to install iputils still shows this behaviour.
The only way I can see this being done safely would be to have capability
sets be annotated with a kuid_t representing the root in the namespace
of the tasks who wrote the capabilities. Noone is working on this. If
you want it, you'll need to write the patch and advocate for it.
-serge
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel