host: centos-6.5
kernel: 3.13.2-4.el6.x86_64
guest: fedora20
since libvirt-1.2.2 i can not shutdown this domain. works fine with
libvirt-1.2.1
# virsh shutdown fedora2
error: Failed to shutdown domain fedora2
error: Mount namespaces are not available on this platform: Function
not implemented
trusted.* xattrs are only for CAP_SYS_ADMIN
[host] # setfattr -n trusted.me.md5 -v
d41d8cd98f00b204e9800998ecf8427e xattr-test
[host] # getfattr -m - -d xattr-test
# file: xattr-test
trusted.me.md5=d41d8cd98f00b204e9800998ecf8427e
[lxc] # getfattr -n trusted.me.md5 xattr-test
xattr-test:
The capable() function only suceeds in the primary host namespace.
The kernel uses ns_capable() in cases where container namespaces
are allowed to use capabilities.
So this indicates that the kernel guys didn't believe it to be
safe to allow use of the 'trusted' xattr namespace in
is not allowed to set
file capabilities
Signed-off-by: Stephan Sachse sac...@nugmbh.de
---
security/commoncap.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index b9d613e..9efdbef 100644
--- a/security/commoncap.c
+++ b/security
w/ userns:
[root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted)
[root@fedora2 ~]# id
uid=0(root) gid=0(root) groups=0(root)
w/o userns:
[root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep'
Can you check /proc/self/status to see the capabilities mask
you have.
[root@fedora2 ~]# cat /proc/self/status | grep ^Cap
CapInh:
CapPrm: 001db5fe
CapEff: 001db5fe
CapBnd: 001db5fe
[root@fedora2 ~]# capsh --print
Current: =ep
what about this patch: [PATCH] lxc: Add virCgroupSetOwner()
http://thread.gmane.org/gmane.comp.emulators.libvirt/92811
without this patch lxc + user namespace does not works with systemd
/stephan
--
Software is like sex, it's better when it's free!
--
libvir-list mailing list
thanks, works for me.
/stephan
--
Software is like sex, it's better when it's free!
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
this patch works for me. container is starting fine. but a login
(ssh/console) is not possible.
host: centos6
kernel: 3.13.2
libvirt: 1.2.1 (+ lxc: Add virCgroupSetOwner())
container logs says
agetty[38]: /dev/tty1: cannot get controlling tty: Operation not permitted
agetty[38]: /dev/tty1:
agetty[38]: /dev/tty1: cannot get controlling tty: Operation not permitted
agetty[38]: /dev/tty1: cannot get controlling tty: Operation not permitted
agetty[38]: /dev/tty1: cannot set process group: Inappropriate ioctl for
device
Is this really the reason why the login fails? Does getty not
systemctl mask console-getty.service fix the console login problem.
sshd is still not working. dns works fine in the container. UseDNS=no
fix the sshd login problem. crazy!
yet I cannot reach any clients on the LAN using their
lan hostname.domainname
ping host.name works for me
--
libvir-list
next problem: on centos6 there is no systemd. the init of the
cgroups is handled by cgconfig. per default cgroups are mounted below
/cgroup. i change /etc/cgconfig.conf to mount all cgroups below
/sys/fs/cgroup. but thats not enough for the systemd in the container.
i must add name=systemd =
12 matches
Mail list logo