[lxc-devel] setpcap

[Michael H. Warfield]

Hey Serge,

On Thu, 2014-07-10 at 14:13 +0000, Serge Hallyn wrote:
> Hi Michael,

> https://bugs.launchpad.net/bugs/1339781 claims that

> """creating a centos 7 container mostly worked using the template, but when
> it was launched, it was really slow to run through most of the sysinit
> tasks, and neither systemd-journald nor systemd-logind could start. The
> error was something like "Error at step CAPABILITIES"."""

> and that allowing setpcap fixes it.  Two questions:

> 1. Why is setpcap being dropped?  It only allows moving caps from bounding
> set to pI and dropping more caps from bounding set.  It actually seems less
> safe to disable it than to keep it enabled, as privileged tasks will be
> unable to set things up right and run under a bad config - a la sendmail
> capabilities bug.

> 2. Would disabling the systemd journal service also fix this?

Right now, the biggest problem with the CentOS template is that it has
not been adapted for systemd yet.  There is some preliminary stuff in
there but I just got done downloading the CentOS 7 images and haven't
had time to even look at it yet and won't really have a chance over the
next couple of weeks.  I'm not surprised at all that there have been
gotcha's.  I'll have to merge some of Dwight's work with the Oracle
template and my stuff with the Fedora template into the CentOS template
for CentOS 7.

> -serge

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140710/c69aca42/attachment.sig>