[lxc-users] sshd-keygen fails during container boot
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Dec 10 02:43:15 UTC 2015
Quoting Peter Steele (pwsteele at gmail.com):
> On 12/09/2015 01:56 PM, Peter Steele wrote:
> >On 12/09/2015 11:46 AM, Peter Steele wrote:
> >>On 12/09/2015 10:18 AM, Serge Hallyn wrote:
> >>>
> >>>I suppose just looking at the 'capsh --print' output difference for the
> >>>bounding set between the custom containers spawned by lxc and
> >>>libvirt-lxc could
> >>>be enlightening.
> >>Here's the diff:
> >>
> >># sdiff lxc libvirt
> >My apologies here. The output I had pasted in was nicely column
> >aligned, with spaces. Something got lost along the way...
> >
> >Peter
> >
> Actually, some tabs got mixed in. Hopefully this will look better:
>
> cap_chown cap_chown
> cap_dac_override cap_dac_override
> cap_dac_read_search cap_dac_read_search
> cap_fowner cap_fowner
> cap_fsetid cap_fsetid
> cap_kill cap_kill
> cap_setgid cap_setgid
> cap_setuid cap_setuid
> cap_setpcap cap_setpcap
> cap_linux_immutable cap_linux_immutable
> cap_net_bind_service cap_net_bind_service
> cap_net_broadcast cap_net_broadcast
> cap_net_admin cap_net_admin
> cap_net_raw cap_net_raw
> cap_ipc_lock cap_ipc_lock
> cap_ipc_owner cap_ipc_owner
> > cap_sys_rawio
Looking through the systemd source, the only obvious thing is that
systmed won't mount configfs or debugfs without rawio. That
doesn't sound relevant here though.
> cap_sys_chroot cap_sys_chroot
> cap_sys_ptrace cap_sys_ptrace
> > cap_sys_pacct
> cap_sys_admin cap_sys_admin
> cap_sys_boot cap_sys_boot
> > cap_sys_nice
> cap_sys_resource cap_sys_resource
> cap_sys_tty_config cap_sys_tty_config
> cap_mknod <
Ok, systemd does behave differently if it shouldn't be able
to create devices. If you add
lxc.cap.drop = mknod sys_rawio
to your configs does that help?
> cap_lease cap_lease
> cap_audit_write cap_audit_write
> cap_audit_control | cap_setfcap
> cap_setfcap,cap_syslog | cap_mac_override
> > cap_syslog
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list