[lxc-users] capabilities requirement change with new filesystem?
Serge E. Hallyn
serge at hallyn.com
Sat Jun 20 18:19:00 UTC 2020
Just for the record - the default is to only return user.*
xattrs, -m gives a different pattern to use, since you
wanted to see a security.*
-serge
On Mon, Jun 08, 2020 at 09:46:07PM +0200, Ede Wolf wrote:
> That was it!
>
>
> # getfattr -d -m '.*' /usr/bin/newuidmap
> getfattr: Removing leading '/' from absolute path names
> # file: usr/bin/newuidmap
> security.capability=0sAQAAAoAAAAAAAAAAAAAAAAAAAAA=
>
> I have not fully comprehended, what -m '.*' does, but the security
> capability was missing on the new drive, while being existent on the old
> one.
>
> Reinstalled shadow and that brought back the capabilites, as rsync with -X
> would not have wanted to recopy the files, and the container boot again
> without the need to adding capabilities in the unit file
>
> Thanky very much!
>
> Time to figure out, what other files I might have missed.
>
>
> Am 08.06.20 um 18:13 schrieb Serge E. Hallyn:
> > Note sure what you mean - I think you're asking which files?
> > /usr/bin/newuidmap and /usr/bin/newgidmap may have been installed
> > with file caps (although on mine it is just setuid-root)
> >
> > On Mon, Jun 08, 2020 at 05:14:52PM +0200, Ede Wolf wrote:
> > > Thanks! That may be quite a hint! I've used -avlW, but not -X. As I've never
> > > intentionally messed with xattrs, I've completely missed those.
> > >
> > > Where would those attributes have been stored? Running a dryrun with added X
> > > does not obviously seem to reveal anything.
> > >
> > >
> > >
> > >
> > > Am 08.06.20 um 16:36 schrieb Serge E. Hallyn:
> > > > On Mon, Jun 08, 2020 at 04:20:07PM +0200, Ede Wolf wrote:
> > > > > Hi,
> > > > >
> > > > > So I've migrated my whole system via rsync from f2fs to btrfs on a new
> > > > > drive, and, after rebooting, all my unpriviledged lxc containers refused to
> > > > > start.
> > > > >
> > > > > Example:
> > > > >
> > > > >
> > > > > lxc-start ... ERROR conf - conf.c:lxc_map_ids:2779 - newuidmap failed to
> > > > > write mapping "newuidmap: Could not set caps": newuidmap 2413 0 4000000 1 1
> > > > > 4000001 65534
> > > > > lxc-start ... ERROR start - start.c:lxc_spawn:1690 - Failed to set up id
> > > > > mapping.
> > > > >
> > > > >
> > > > > Granting more rights after some searching in their unit files:
> > > > >
> > > > >
> > > > > AmbientCapabilities=CAP_SETGID
> > > > > AmbientCapabilities=CAP_SETUID
> > > > >
> > > > >
> > > > > made them work again. Being curios, I then booted from the old f2fs drive
> > > > > again and the containers are coming up without above capability additions.
> > > > >
> > > > > Back to btrfs and those are needed.
> > > > >
> > > > > Any idea, what may be going on here?
> > > >
> > > > How did you migrate the fs? rsync for instance would need -X
> > > > to preserve xattrs, which is how posix file capabilities are
> > > > stored.
> > > > _______________________________________________
> > > > lxc-users mailing list
> > > > lxc-users at lists.linuxcontainers.org
> > > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > > >
> > >
> > > _______________________________________________
> > > lxc-users mailing list
> > > lxc-users at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list