On Sat, Feb 03, 2007 at 09:17:21PM +0100, Jean-Michel Caricand wrote: > > On Sat, 3 Feb 2007 13:57:53 +0100 > > "Jean-Michel Caricand" <[EMAIL PROTECTED]> wrote: > > > > > I use this path and this kernel : vs2.0.2.1, 2.6.17.13 > > > > > > On my guest (lifc-svnlmd) : > > > ------------------------- > > > > > > lifc-svnlmd:/# mount > > > /dev/hdv1 on / type ufs (defaults) > > > none on /proc type proc (0) > > > none on /tmp type tmpfs (size=16m,mode=1777) > > > none on /dev/pts type devpts (gid=5,mode=620) > > > lifc-svnlmd:/# > > > > > > lifc-svnlmd:/# cat /proc/mounts > > > rootfs / rootfs rw 0 0 > > > /dev/root / ext3 rw,data=ordered 0 0 > > > none /proc proc rw,nodiratime 0 0 > > > none /tmp tmpfs rw,nodev 0 0 > > > none /dev/pts devpts rw 0 0 > > > lifc-svnlmd:/# > > > > > > lifc-svnlmd:/# export LC_ALL=C LANG=C > > > lifc-svnlmd:/# touch /tmp/toto; setfacl -m u:root:rxw > /tmp/toto > > > setfacl: /tmp/toto: Operation not supported > > > lifc-svnlmd:/# > > > > > > Apparently, I can't use ACL in my guest. I am surprised > > > because I can use ACL on the host (the root filesystem for the > > > guest is mounted with ACL support on the host). > > > > > > On my host (lifcsys3) : > > > --------------------- > > > > > > lifcsys3:~# mount > > > /dev/hda3 on / type ext3 (rw,errors=remount-ro) > > > proc on /proc type proc (rw) > > > sysfs on /sys type sysfs (rw) > > > devpts on /dev/pts type devpts (rw,gid=5,mode=620) > > > tmpfs on /dev/shm type tmpfs (rw) > > > /dev/hda2 on /boot type ext3 (rw) > > > /dev/mapper/host-usr on /usr type ext3 (rw) > > > /dev/mapper/host-var on /var type ext3 (rw) > > > /dev/mapper/host-lifc--webmail on > > > /var/lib/vservers/lifc-webmail type ext3 (rw) > > > /dev/mapper/host-lifc--glpi on /var/lib/vservers/lifc-glpi > > > type ext3 (rw) > > > /dev/mapper/host-lifc--darkvador on > > > /var/lib/vservers/lifc-darkvador type ext3 (rw) > > > usbfs on /proc/bus/usb type usbfs (rw) > > > /dev/mapper/host-lifc--svnlmd on /var/lib/vservers/lifc-svnlmd > > > type ext3 (rw,acl) > > > lifcsys3:~# > > > > > > lifcsys3:~# cat /proc/mounts > > > rootfs / rootfs rw 0 0 > > > /dev2/root2 / ext3 rw,data=ordered 0 0 > > > proc /proc proc rw,nodiratime 0 0 > > > sysfs /sys sysfs rw 0 0 > > > devpts /dev/pts devpts rw 0 0 > > > tmpfs /dev/shm tmpfs rw 0 0 > > > /dev/hda2 /boot ext3 rw,data=ordered 0 0 > > > /dev/mapper/host-usr /usr ext3 rw,data=ordered 0 0 > > > /dev/mapper/host-var /var ext3 rw,data=ordered 0 0 > > > /dev/host/lifc-webmail /var/lib/vservers/lifc-webmail ext3 > > > rw,data=ordered 0 0 > > > /dev/host/lifc-glpi /var/lib/vservers/lifc-glpi ext3 > > > rw,data=ordered 0 0 > > > /dev/host/lifc-darkvador /var/lib/vservers/lifc-darkvador ext3 > > > rw,data=ordered 0 0 > > > usbfs /proc/bus/usb usbfs rw 0 0 > > > /dev/host/lifc-svnlmd /var/lib/vservers/lifc-svnlmd ext3 > > > rw,data=ordered 0 0 > > > lifcsys3:~# > > > > > > lifcsys3:~# setfacl -m u:testuser:rwx > > > /var/lib/vservers/lifc-svnlmd/tmp/toto > > > lifcsys3:~# getfacl /var/lib/vservers/lifc-svnlmd/tmp/toto > > > getfacl: Removing leading '/' from absolute path names > > > # file: var/lib/vservers/lifc-svnlmd/tmp/toto > > > # owner: root > > > # group: root > > > user::rw- > > > user:testuser:rwx > > > group::r-- > > > mask::rwx > > > other::r-- > > > > > > lifcsys3:~# > > > > > > If it's possible to use ACL in a guest, where is my error ? > > > > the difference is due to namespaces. > > > > when you write to /var/lib/vservers/lifc-svnlmd/tmp/ from > context 0, you > > are writing to the device /dev/host/lifc-svnlmd. > > > > when you write to /tmp from the context of the guest, you > are writing to > > the tmpfs. > > > > the tmpfs was mounted from the context of the guest, so > context 0 (the > > "host" or any other context) cannot see the mounted > filesystem. instead, > > the host is writing to the original filesystem, not the > mounted filesystem > > as it cannot see it. > > > > but of course since the tmpfs filesystem is mounted within > the context of > > the guest, the guest can see and write to it. but the tmpfs > was not > > mounted with ACL support (if tmpfs even supports ACLs), so > the guest cannot > > use ACLs on the tmpfs, ie /tmp. trying using ACLs somewhere > else within > > the guest and it should work. > > > > to better illustrate the point, do this: > > > > host# vserver guest start > > host# vserver guest enter > > guest# mkdir /tmp/foo > > guest# touch /tmp/foo/bar > > guest# vserver guest exit > > host# ls -al /var/lib/vservers/guest/tmp/ > > host# touch /var/lib/vservers/guest/tmp/foo/bar > > > > the last command should generate an error for obvious > reasons (after you > > analyze the output of "ls -al" for the tmp directory and > realize the "foo" > > directory you created within the guest is not there, or at > least not > > visible/accessible from the host). > > > > this is no different than on a non-vserver host creating > files within a > > directory that serves as a mountpoint, then mounting a > filesystem at that > > mountpoint. the files you created within the directory are > still there > > (under the newly mounted filesystem), but you cannot see > them. as soon as > > you unmount the filesystem, you will again see the files > within the > > mountpoint directory. the only difference is with vserver > both the > > mountpoint directory and the newly mounted filesystem are > accessible at the > > same time, just within different namespaces/contexts (host > and guest). > > > > it's all about different namespaces. (and it really gets > ugly when you > > have to create a lvm snapshot within the context of the > host, but mount it > > within the context of several running guests, because you > have to > > separately mount it within every guest's namespace; see the > "vnamespace" > > command.) > > > > hope that helps clear things up. > > > > btw, i hate that useless default 16 MB tmpfs mount within > the guests and > > removing it from /etc/vservers/guest/fstab is one of the > first things i do > > upon creating a new guest. is there some way to override > the default (ie > > is there a default fstab somewhere; yeah, i know, i'm lazy ;-). > > > > corey > > -- > > [EMAIL PROTECTED] > > _______________________________________________ > > Vserver mailing list > > [email protected] > > http://list.linux-vserver.org/mailman/listinfo/vserver > > > > Hi corey, > > Your explanation are very clear. I made a mistake when I chose > /tmp directory to test setfacl ! > > As you tell, setfacl works fine on another directory (I tested > on /opt in my guest).
enabling ACLs (kernel config) for TMPFS will also allow those on the /tmp, given that your kernel is recent enough to _have_ that option :) > Thank again for the long explanation. > > Jean-Michel Caricand > mail : [EMAIL PROTECTED] please try to fix your mailer and posting style when you're at it in regards of ... - bottom/top posting - referenced mail IDs on replies TIA, Herbert > Envoyez vos cartes de voeux depuis www.laposte.net > Elles seront ensuite distribuées par le facteur : pratique et malin ! > > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
