[lxc-devel] setpcap
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jul 10 17:26:06 UTC 2014
Quoting Michael H. Warfield (mhw at WittsEnd.com):
> Hey Serge,
>
> On Thu, 2014-07-10 at 14:13 +0000, Serge Hallyn wrote:
> > Hi Michael,
>
> > https://bugs.launchpad.net/bugs/1339781 claims that
>
> > """creating a centos 7 container mostly worked using the template, but when
> > it was launched, it was really slow to run through most of the sysinit
> > tasks, and neither systemd-journald nor systemd-logind could start. The
> > error was something like "Error at step CAPABILITIES"."""
>
> > and that allowing setpcap fixes it. Two questions:
>
> > 1. Why is setpcap being dropped? It only allows moving caps from bounding
> > set to pI and dropping more caps from bounding set. It actually seems less
> > safe to disable it than to keep it enabled, as privileged tasks will be
> > unable to set things up right and run under a bad config - a la sendmail
> > capabilities bug.
>
> > 2. Would disabling the systemd journal service also fix this?
>
> Right now, the biggest problem with the CentOS template is that it has
> not been adapted for systemd yet. There is some preliminary stuff in
Oh, heh, so that'll be his problem then :)
So more generally, do you see any reason why any general distro template
should be disabling setpcap? It seems unhelpful and unsafe to boot...
> there but I just got done downloading the CentOS 7 images and haven't
> had time to even look at it yet and won't really have a chance over the
> next couple of weeks. I'm not surprised at all that there have been
> gotcha's. I'll have to merge some of Dwight's work with the Oracle
> template and my stuff with the Fedora template into the CentOS template
> for CentOS 7.
>
> > -serge
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
More information about the lxc-devel
mailing list