On Sat, 3 Feb 2007 13:57:53 +0100 "Jean-Michel Caricand" <[EMAIL PROTECTED]> wrote:
> I use this path and this kernel : vs2.0.2.1, 2.6.17.13 > > On my guest (lifc-svnlmd) : > ------------------------- > > lifc-svnlmd:/# mount > /dev/hdv1 on / type ufs (defaults) > none on /proc type proc (0) > none on /tmp type tmpfs (size=16m,mode=1777) > none on /dev/pts type devpts (gid=5,mode=620) > lifc-svnlmd:/# > > lifc-svnlmd:/# cat /proc/mounts > rootfs / rootfs rw 0 0 > /dev/root / ext3 rw,data=ordered 0 0 > none /proc proc rw,nodiratime 0 0 > none /tmp tmpfs rw,nodev 0 0 > none /dev/pts devpts rw 0 0 > lifc-svnlmd:/# > > lifc-svnlmd:/# export LC_ALL=C LANG=C > lifc-svnlmd:/# touch /tmp/toto; setfacl -m u:root:rxw /tmp/toto > setfacl: /tmp/toto: Operation not supported > lifc-svnlmd:/# > > Apparently, I can't use ACL in my guest. I am surprised > because I can use ACL on the host (the root filesystem for the > guest is mounted with ACL support on the host). > > On my host (lifcsys3) : > --------------------- > > lifcsys3:~# mount > /dev/hda3 on / type ext3 (rw,errors=remount-ro) > proc on /proc type proc (rw) > sysfs on /sys type sysfs (rw) > devpts on /dev/pts type devpts (rw,gid=5,mode=620) > tmpfs on /dev/shm type tmpfs (rw) > /dev/hda2 on /boot type ext3 (rw) > /dev/mapper/host-usr on /usr type ext3 (rw) > /dev/mapper/host-var on /var type ext3 (rw) > /dev/mapper/host-lifc--webmail on > /var/lib/vservers/lifc-webmail type ext3 (rw) > /dev/mapper/host-lifc--glpi on /var/lib/vservers/lifc-glpi > type ext3 (rw) > /dev/mapper/host-lifc--darkvador on > /var/lib/vservers/lifc-darkvador type ext3 (rw) > usbfs on /proc/bus/usb type usbfs (rw) > /dev/mapper/host-lifc--svnlmd on /var/lib/vservers/lifc-svnlmd > type ext3 (rw,acl) > lifcsys3:~# > > lifcsys3:~# cat /proc/mounts > rootfs / rootfs rw 0 0 > /dev2/root2 / ext3 rw,data=ordered 0 0 > proc /proc proc rw,nodiratime 0 0 > sysfs /sys sysfs rw 0 0 > devpts /dev/pts devpts rw 0 0 > tmpfs /dev/shm tmpfs rw 0 0 > /dev/hda2 /boot ext3 rw,data=ordered 0 0 > /dev/mapper/host-usr /usr ext3 rw,data=ordered 0 0 > /dev/mapper/host-var /var ext3 rw,data=ordered 0 0 > /dev/host/lifc-webmail /var/lib/vservers/lifc-webmail ext3 > rw,data=ordered 0 0 > /dev/host/lifc-glpi /var/lib/vservers/lifc-glpi ext3 > rw,data=ordered 0 0 > /dev/host/lifc-darkvador /var/lib/vservers/lifc-darkvador ext3 > rw,data=ordered 0 0 > usbfs /proc/bus/usb usbfs rw 0 0 > /dev/host/lifc-svnlmd /var/lib/vservers/lifc-svnlmd ext3 > rw,data=ordered 0 0 > lifcsys3:~# > > lifcsys3:~# setfacl -m u:testuser:rwx > /var/lib/vservers/lifc-svnlmd/tmp/toto > lifcsys3:~# getfacl /var/lib/vservers/lifc-svnlmd/tmp/toto > getfacl: Removing leading '/' from absolute path names > # file: var/lib/vservers/lifc-svnlmd/tmp/toto > # owner: root > # group: root > user::rw- > user:testuser:rwx > group::r-- > mask::rwx > other::r-- > > lifcsys3:~# > > If it's possible to use ACL in a guest, where is my error ? the difference is due to namespaces. when you write to /var/lib/vservers/lifc-svnlmd/tmp/ from context 0, you are writing to the device /dev/host/lifc-svnlmd. when you write to /tmp from the context of the guest, you are writing to the tmpfs. the tmpfs was mounted from the context of the guest, so context 0 (the "host" or any other context) cannot see the mounted filesystem. instead, the host is writing to the original filesystem, not the mounted filesystem as it cannot see it. but of course since the tmpfs filesystem is mounted within the context of the guest, the guest can see and write to it. but the tmpfs was not mounted with ACL support (if tmpfs even supports ACLs), so the guest cannot use ACLs on the tmpfs, ie /tmp. trying using ACLs somewhere else within the guest and it should work. to better illustrate the point, do this: host# vserver guest start host# vserver guest enter guest# mkdir /tmp/foo guest# touch /tmp/foo/bar guest# vserver guest exit host# ls -al /var/lib/vservers/guest/tmp/ host# touch /var/lib/vservers/guest/tmp/foo/bar the last command should generate an error for obvious reasons (after you analyze the output of "ls -al" for the tmp directory and realize the "foo" directory you created within the guest is not there, or at least not visible/accessible from the host). this is no different than on a non-vserver host creating files within a directory that serves as a mountpoint, then mounting a filesystem at that mountpoint. the files you created within the directory are still there (under the newly mounted filesystem), but you cannot see them. as soon as you unmount the filesystem, you will again see the files within the mountpoint directory. the only difference is with vserver both the mountpoint directory and the newly mounted filesystem are accessible at the same time, just within different namespaces/contexts (host and guest). it's all about different namespaces. (and it really gets ugly when you have to create a lvm snapshot within the context of the host, but mount it within the context of several running guests, because you have to separately mount it within every guest's namespace; see the "vnamespace" command.) hope that helps clear things up. btw, i hate that useless default 16 MB tmpfs mount within the guests and removing it from /etc/vservers/guest/fstab is one of the first things i do upon creating a new guest. is there some way to override the default (ie is there a default fstab somewhere; yeah, i know, i'm lazy ;-). corey -- [EMAIL PROTECTED] _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver