[lxc-users] setcap capabilities

[Serge Hallyn]

Quoting Mark Constable (markc at renta.net):
> On 19/02/16 02:32, Serge Hallyn wrote:
> >># for containers to allow suid exec
> >>echo 0 > /proc/sys/fs/protected_hardlinks
> >>
> >>on the host but that is going to be awkward for folks who do not happen
> >>to know this "trick" meaning generally trying to install the courier-mta
> >>package on unpriv containers is going to fail in an ugly way that messes
> >>up package install/upgrades.
> >>
> >>Any comment on how to make this easier to deal with?
> >
> >I'm afraid not.  It's the exact case which the authors of the
> >protected_hardlinks mechanism wanted to protect against...
> 
> Thanks for the response Serge but this "problem" all but makes unpriv
> containers (xenial at least) unusable. Todays example...
> 
> Unpacking systemd (229-1ubuntu2) over (228-5ubuntu3) ...
> dpkg: error processing archive /var/cache/apt/archives/systemd_229-1ubuntu2_amd64.deb (--unpack):
>  unable to make backup link of './bin/systemctl' before installing new version: Operation not permitted

Are you using overlayfs clones?  Or using a readonly mount of
the host's / ?  Otherwise this shouldn't be happening.  I can hardlink 
/bin/systemctl just fine as root in an unprivileged container.

> dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
> addgroup: The group `systemd-journal' already exists as a system group. Exiting.
> Failed to set capabilities on file `/usr/bin/systemd-detect-virt' (Invalid argument)
> The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
> Processing triggers for ureadahead (0.100.0-19) ...
> Processing triggers for dbus (1.10.6-1ubuntu1) ...
> Errors were encountered while processing:
>  /var/cache/apt/archives/systemd_229-1ubuntu2_amd64.deb
> E: Sub-process /usr/bin/dpkg returned an error code (1)

-serge