[lxc-users] capabilities requirement change with new filesystem?
Ede Wolf
listac at nebelschwaden.de
Mon Jun 8 19:46:07 UTC 2020
That was it!
# getfattr -d -m '.*' /usr/bin/newuidmap
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/newuidmap
security.capability=0sAQAAAoAAAAAAAAAAAAAAAAAAAAA=
I have not fully comprehended, what -m '.*' does, but the security
capability was missing on the new drive, while being existent on the old
one.
Reinstalled shadow and that brought back the capabilites, as rsync with
-X would not have wanted to recopy the files, and the container boot
again without the need to adding capabilities in the unit file
Thanky very much!
Time to figure out, what other files I might have missed.
Am 08.06.20 um 18:13 schrieb Serge E. Hallyn:
> Note sure what you mean - I think you're asking which files?
> /usr/bin/newuidmap and /usr/bin/newgidmap may have been installed
> with file caps (although on mine it is just setuid-root)
>
> On Mon, Jun 08, 2020 at 05:14:52PM +0200, Ede Wolf wrote:
>> Thanks! That may be quite a hint! I've used -avlW, but not -X. As I've never
>> intentionally messed with xattrs, I've completely missed those.
>>
>> Where would those attributes have been stored? Running a dryrun with added X
>> does not obviously seem to reveal anything.
>>
>>
>>
>>
>> Am 08.06.20 um 16:36 schrieb Serge E. Hallyn:
>>> On Mon, Jun 08, 2020 at 04:20:07PM +0200, Ede Wolf wrote:
>>>> Hi,
>>>>
>>>> So I've migrated my whole system via rsync from f2fs to btrfs on a new
>>>> drive, and, after rebooting, all my unpriviledged lxc containers refused to
>>>> start.
>>>>
>>>> Example:
>>>>
>>>>
>>>> lxc-start ... ERROR conf - conf.c:lxc_map_ids:2779 - newuidmap failed to
>>>> write mapping "newuidmap: Could not set caps": newuidmap 2413 0 4000000 1 1
>>>> 4000001 65534
>>>> lxc-start ... ERROR start - start.c:lxc_spawn:1690 - Failed to set up id
>>>> mapping.
>>>>
>>>>
>>>> Granting more rights after some searching in their unit files:
>>>>
>>>>
>>>> AmbientCapabilities=CAP_SETGID
>>>> AmbientCapabilities=CAP_SETUID
>>>>
>>>>
>>>> made them work again. Being curios, I then booted from the old f2fs drive
>>>> again and the containers are coming up without above capability additions.
>>>>
>>>> Back to btrfs and those are needed.
>>>>
>>>> Any idea, what may be going on here?
>>>
>>> How did you migrate the fs? rsync for instance would need -X
>>> to preserve xattrs, which is how posix file capabilities are
>>> stored.
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
More information about the lxc-users
mailing list