[lxc-devel] [Lxc-users] lxc-setcap doesn't work in ubuntu 12.04

Serge Hallyn serge.hallyn at canonical.com
Fri Jun 29 15:07:31 UTC 2012


Ah, I see the problem.  src/lxc/caps.c:lxc_caps_up() isn't detecting
supported capabilities correctly.  When it gets -EINVAL for
cap_get_flags(), it should take that as a hint that the capability
is not supported by the kernel.  Instead it exits with failure.

The reason you're not seing this on redhat/centos is, presumably,
that its package was built where /usr/include/linux/capability.h
was older (matching its older kernel).  On precise, capability.h
includes up to cap 35 which must not be supported in the kernel.

This is the unfortunate effect of the fact that /sys/security/capability/
was never merged.  (Now that I'm listed as maintainer, maybe I should
re-try to merge that)  But lxc can work around this better.

I'll send out a patch for this.  (When I can - may not be until
end of next week, so if someone else wants to, please feel free)

-serge

Quoting Sam Wang (zhefwang at gmail.com):
> firstly,I execute lxc-setcap as root,then I execute lxc-execute as normal
> user,but it turns out to be error which says it doesn't run with proper
> privilege.what'more ,it still doesn't work even after I execute lxc-setuid
> as root.
> However,when I use lxc in centos and redhat,after I execute lxc-setcap,l
> can execute lxc-execute without privilege.
> 
> 2012/6/29 Serge Hallyn <serge.hallyn at canonical.com>
> 
> > Quoting Sam Wang (zhefwang at gmail.com):
> > > I know it can not work with shell scripts and it can not work with binary
> > > executable file.
> >
> > It can work with binary executables, but of course the capabilities won't
> > persist across execve, which may be what you meant.
> >
> > > such as lxc-execute.I used lxc in centos 6.2 and red hat
> > > 6.1,it did work.
> >
> > Then please define 'did not work' in ubuntu.
> >
> > > btw: the version of lxc is 0.7.5 installed by apt-get install
> >
> > In any case, you'll "soon" be able to user user namespaces to start
> > containers without needing privilege (a start to the lxc patch is at
> > https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns,
> > but the kernel patchset, at
> > http://kernel.ubuntu.com/git/serge/quantal-userns.git ,
> > needs some more features).
> >
> > -serge
> >
> 
> 
> 
> -- 
> 
> Zhefeng Wang
> University of Science and Technology of China
> Email:zhefwang at gmail.com
> 
> In God we trust, all others bring data




More information about the lxc-devel mailing list