[lxc-users] setcap capabilities

Serge Hallyn serge.hallyn at ubuntu.com
Fri Feb 19 02:21:26 UTC 2016


Quoting Mark Constable (markc at renta.net):
> On 19/02/16 11:39, Serge Hallyn wrote:
> >>>>echo 0 > /proc/sys/fs/protected_hardlinks
> >>
> >>Thanks for the response Serge but this "problem" all but makes unpriv
> >>containers (xenial at least) unusable. Todays example...
> >>
> >>Unpacking systemd (229-1ubuntu2) over (228-5ubuntu3) ...
> >>dpkg: error processing archive /var/cache/apt/archives/systemd_229-1ubuntu2_amd64.deb (--unpack):
> >>  unable to make backup link of './bin/systemctl' before installing new version: Operation not permitted
> >
> >Are you using overlayfs clones?  Or using a readonly mount of the
> >host's / ?
> 
> No, nothing other than a stock standard launch on a btrfs host.
> 
> >Otherwise this shouldn't be happening.  I can hardlink
> >/bin/systemctl just fine as root in an unprivileged container.
> 
> Thanks for the clarification.
> 
> I'm using an old container that I have been upgrading for almost a year

What does ls -l /bin/systemctl show?

You can see the conditions under which the sysctl takes effect
in fs/namei.c:safe_hardlink_source()

> now so goodness knows what state it really is in. I'll launch another
> one from scratch and see if that fixes this issue without turning off
> /proc/sys/fs/protected_hardlinks.


More information about the lxc-users mailing list