[lxc-users] setcap capabilities
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Feb 19 02:21:26 UTC 2016
Quoting Mark Constable (markc at renta.net):
> On 19/02/16 11:39, Serge Hallyn wrote:
> >>>>echo 0 > /proc/sys/fs/protected_hardlinks
> >>
> >>Thanks for the response Serge but this "problem" all but makes unpriv
> >>containers (xenial at least) unusable. Todays example...
> >>
> >>Unpacking systemd (229-1ubuntu2) over (228-5ubuntu3) ...
> >>dpkg: error processing archive /var/cache/apt/archives/systemd_229-1ubuntu2_amd64.deb (--unpack):
> >> unable to make backup link of './bin/systemctl' before installing new version: Operation not permitted
> >
> >Are you using overlayfs clones? Or using a readonly mount of the
> >host's / ?
>
> No, nothing other than a stock standard launch on a btrfs host.
>
> >Otherwise this shouldn't be happening. I can hardlink
> >/bin/systemctl just fine as root in an unprivileged container.
>
> Thanks for the clarification.
>
> I'm using an old container that I have been upgrading for almost a year
What does ls -l /bin/systemctl show?
You can see the conditions under which the sysctl takes effect
in fs/namei.c:safe_hardlink_source()
> now so goodness knows what state it really is in. I'll launch another
> one from scratch and see if that fixes this issue without turning off
> /proc/sys/fs/protected_hardlinks.
More information about the lxc-users
mailing list