On Fri, May 29, 2009 at 9:20 PM, Daniel Veillard <veillard@xxxxxxxxxx> wrote: > The lxcContainerDropCapabilities() function requires PR_CAPBSET_DROP > to be defined in order to compile, but it may not be defined in older > kernels. So I made the compilation of the core of the function > conditional, raise an error but still return 0 to not make the > container initialization fail. But I'm unsure, should we just fail and > return -1 if we can't drop capabilities instead ? I think it depends on applications. AFAIK, libvirt intends to support two types of applications; application workload isolation and virtual private servers. In the latter case, we MUST drop the capability and if it fails we have to fail booting a container as well. OTOH, in the former case, we might not need to fail booting. Nonetheless, I agree with the patch because old kernels that don't support PR_CAPBSET_DROP (they would be 2.6.24 or earlier) don't have enough facilities to support VPSs (e.g., they lacks sysfs, devpts, etc.). Therefore, with the old kernels we don't need to care much about the dropping-failed-but-booting-success case. ozaki-r > > Daniel > > -- > Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ > daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/ > http://veillard.com/ | virtualization library http://libvirt.org/ > > -- > Libvir-list mailing list > Libvir-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvir-list > > -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list