> On Sat, 3 Feb 2007 13:57:53 +0100 > "Jean-Michel Caricand" <[EMAIL PROTECTED]> wrote: > > > I use this path and this kernel : vs2.0.2.1, 2.6.17.13 > > > > On my guest (lifc-svnlmd) : > > ------------------------- > > > > lifc-svnlmd:/# mount > > /dev/hdv1 on / type ufs (defaults) > > none on /proc type proc (0) > > none on /tmp type tmpfs (size=16m,mode=1777) > > none on /dev/pts type devpts (gid=5,mode=620) > > lifc-svnlmd:/# > > > > lifc-svnlmd:/# cat /proc/mounts > > rootfs / rootfs rw 0 0 > > /dev/root / ext3 rw,data=ordered 0 0 > > none /proc proc rw,nodiratime 0 0 > > none /tmp tmpfs rw,nodev 0 0 > > none /dev/pts devpts rw 0 0 > > lifc-svnlmd:/# > > > > lifc-svnlmd:/# export LC_ALL=C LANG=C > > lifc-svnlmd:/# touch /tmp/toto; setfacl -m u:root:rxw /tmp/toto > > setfacl: /tmp/toto: Operation not supported > > lifc-svnlmd:/# > > > > Apparently, I can't use ACL in my guest. I am surprised > > because I can use ACL on the host (the root filesystem for the > > guest is mounted with ACL support on the host). > > > > On my host (lifcsys3) : > > --------------------- > > > > lifcsys3:~# mount > > /dev/hda3 on / type ext3 (rw,errors=remount-ro) > > proc on /proc type proc (rw) > > sysfs on /sys type sysfs (rw) > > devpts on /dev/pts type devpts (rw,gid=5,mode=620) > > tmpfs on /dev/shm type tmpfs (rw) > > /dev/hda2 on /boot type ext3 (rw) > > /dev/mapper/host-usr on /usr type ext3 (rw) > > /dev/mapper/host-var on /var type ext3 (rw) > > /dev/mapper/host-lifc--webmail on > > /var/lib/vservers/lifc-webmail type ext3 (rw) > > /dev/mapper/host-lifc--glpi on /var/lib/vservers/lifc-glpi > > type ext3 (rw) > > /dev/mapper/host-lifc--darkvador on > > /var/lib/vservers/lifc-darkvador type ext3 (rw) > > usbfs on /proc/bus/usb type usbfs (rw) > > /dev/mapper/host-lifc--svnlmd on /var/lib/vservers/lifc-svnlmd > > type ext3 (rw,acl) > > lifcsys3:~# > > > > lifcsys3:~# cat /proc/mounts > > rootfs / rootfs rw 0 0 > > /dev2/root2 / ext3 rw,data=ordered 0 0 > > proc /proc proc rw,nodiratime 0 0 > > sysfs /sys sysfs rw 0 0 > > devpts /dev/pts devpts rw 0 0 > > tmpfs /dev/shm tmpfs rw 0 0 > > /dev/hda2 /boot ext3 rw,data=ordered 0 0 > > /dev/mapper/host-usr /usr ext3 rw,data=ordered 0 0 > > /dev/mapper/host-var /var ext3 rw,data=ordered 0 0 > > /dev/host/lifc-webmail /var/lib/vservers/lifc-webmail ext3 > > rw,data=ordered 0 0 > > /dev/host/lifc-glpi /var/lib/vservers/lifc-glpi ext3 > > rw,data=ordered 0 0 > > /dev/host/lifc-darkvador /var/lib/vservers/lifc-darkvador ext3 > > rw,data=ordered 0 0 > > usbfs /proc/bus/usb usbfs rw 0 0 > > /dev/host/lifc-svnlmd /var/lib/vservers/lifc-svnlmd ext3 > > rw,data=ordered 0 0 > > lifcsys3:~# > > > > lifcsys3:~# setfacl -m u:testuser:rwx > > /var/lib/vservers/lifc-svnlmd/tmp/toto > > lifcsys3:~# getfacl /var/lib/vservers/lifc-svnlmd/tmp/toto > > getfacl: Removing leading '/' from absolute path names > > # file: var/lib/vservers/lifc-svnlmd/tmp/toto > > # owner: root > > # group: root > > user::rw- > > user:testuser:rwx > > group::r-- > > mask::rwx > > other::r-- > > > > lifcsys3:~# > > > > If it's possible to use ACL in a guest, where is my error ? > > the difference is due to namespaces. > > when you write to /var/lib/vservers/lifc-svnlmd/tmp/ from context 0, you > are writing to the device /dev/host/lifc-svnlmd. > > when you write to /tmp from the context of the guest, you are writing to > the tmpfs. > > the tmpfs was mounted from the context of the guest, so context 0 (the > "host" or any other context) cannot see the mounted filesystem. instead, > the host is writing to the original filesystem, not the mounted filesystem > as it cannot see it. > > but of course since the tmpfs filesystem is mounted within the context of > the guest, the guest can see and write to it. but the tmpfs was not > mounted with ACL support (if tmpfs even supports ACLs), so the guest cannot > use ACLs on the tmpfs, ie /tmp. trying using ACLs somewhere else within > the guest and it should work. > > to better illustrate the point, do this: > > host# vserver guest start > host# vserver guest enter > guest# mkdir /tmp/foo > guest# touch /tmp/foo/bar > guest# vserver guest exit > host# ls -al /var/lib/vservers/guest/tmp/ > host# touch /var/lib/vservers/guest/tmp/foo/bar > > the last command should generate an error for obvious reasons (after you > analyze the output of "ls -al" for the tmp directory and realize the "foo" > directory you created within the guest is not there, or at least not > visible/accessible from the host). > > this is no different than on a non-vserver host creating files within a > directory that serves as a mountpoint, then mounting a filesystem at that > mountpoint. the files you created within the directory are still there > (under the newly mounted filesystem), but you cannot see them. as soon as > you unmount the filesystem, you will again see the files within the > mountpoint directory. the only difference is with vserver both the > mountpoint directory and the newly mounted filesystem are accessible at the > same time, just within different namespaces/contexts (host and guest). > > it's all about different namespaces. (and it really gets ugly when you > have to create a lvm snapshot within the context of the host, but mount it > within the context of several running guests, because you have to > separately mount it within every guest's namespace; see the "vnamespace" > command.) > > hope that helps clear things up. > > btw, i hate that useless default 16 MB tmpfs mount within the guests and > removing it from /etc/vservers/guest/fstab is one of the first things i do > upon creating a new guest. is there some way to override the default (ie > is there a default fstab somewhere; yeah, i know, i'm lazy ;-). > > corey > -- > [EMAIL PROTECTED] > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver >
Hi corey, Your explanation are very clear. I made a mistake when I chose /tmp directory to test setfacl ! As you tell, setfacl works fine on another directory (I tested on /opt in my guest). Thank again for the long explanation. Jean-Michel Caricand mail : [EMAIL PROTECTED] Envoyez vos cartes de voeux depuis www.laposte.net Elles seront ensuite distribuées par le facteur : pratique et malin ! _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
