[lxc-users] setcap capabilities
Mark Constable
markc at renta.net
Thu Feb 18 23:05:53 UTC 2016
On 19/02/16 02:32, Serge Hallyn wrote:
>> # for containers to allow suid exec
>> echo 0 > /proc/sys/fs/protected_hardlinks
>>
>> on the host but that is going to be awkward for folks who do not happen
>> to know this "trick" meaning generally trying to install the courier-mta
>> package on unpriv containers is going to fail in an ugly way that messes
>> up package install/upgrades.
>>
>> Any comment on how to make this easier to deal with?
>
> I'm afraid not. It's the exact case which the authors of the
> protected_hardlinks mechanism wanted to protect against...
Thanks for the response Serge but this "problem" all but makes unpriv
containers (xenial at least) unusable. Todays example...
Unpacking systemd (229-1ubuntu2) over (228-5ubuntu3) ...
dpkg: error processing archive /var/cache/apt/archives/systemd_229-1ubuntu2_amd64.deb (--unpack):
unable to make backup link of './bin/systemctl' before installing new version: Operation not permitted
dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
addgroup: The group `systemd-journal' already exists as a system group. Exiting.
Failed to set capabilities on file `/usr/bin/systemd-detect-virt' (Invalid argument)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for dbus (1.10.6-1ubuntu1) ...
Errors were encountered while processing:
/var/cache/apt/archives/systemd_229-1ubuntu2_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
More information about the lxc-users
mailing list