Re: Enabling capabilities in a container

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There's no out there who can comment on this? Surely there must be a way to solve this problem for libvirt lxc based containers. 

Peter

On 08/04/2015 03:44 PM, Peter Steele wrote:
I'm using libvirt_lxc to create and manage various containers. I need to enable certain capabilities in a container to support ctdb, and as a quick solution I decided to just enable them all. I *thought* this would do the trick, adding the following XML to my container config: 

<features>
  <capabilities policy='allow'>
  </capabilities>
</features>
After adding this to my container, I restarted it and tried to start the ctdb service again: 

# systemctl start ctdb.service
Job for ctdb.service failed. See 'systemctl status ctdb.service' and 'journalctl -xn' for details. 

# systemctl status ctdb.service
ctdb.service - CTDB
   Loaded: loaded (/usr/lib/systemd/system/ctdb.service; disabled)
Active: failed (Result: exit-code) since Tue 2015-08-04 14:10:39 PDT; 8s ago Process: 4612 ExecStart=/usr/sbin/ctdbd_wrapper /run/ctdb/ctdbd.pid start (code=exited, status=1/FAILURE) 

Aug 04 14:10:37 pws-01 systemd[1]: Starting CTDB...
Aug 04 14:10:37 pws-01 ctdbd[4629]: CTDB starting on node
Aug 04 14:10:37 pws-01 ctdbd[4631]: Starting CTDBD (Version 2.5.4) as PID: 4631 
Aug 04 14:10:37 pws-01 ctdbd[4631]: Created PID file /run/ctdb/ctdbd.pid
Aug 04 14:10:37 pws-01 ctdbd[4631]: Unable to set scheduler to SCHED_FIFO (Operation not permitted) 
Aug 04 14:10:37 pws-01 ctdbd[4631]: CTDB daemon shutting down
Aug 04 14:10:39 pws-01 ctdbd_wrapper[4612]: CTDB exited during initialisation - check logs. Aug 04 14:10:39 pws-01 systemd[1]: ctdb.service: control process exited, code=exited status=1 
Aug 04 14:10:39 pws-01 systemd[1]: Failed to start CTDB.
Aug 04 14:10:39 pws-01 systemd[1]: Unit ctdb.service entered failed state.
This implies that the container still doesn't have access to the capabilities it needs to use. I believe this error in fact is caused by the container not having the sys_nice capability. So I tried to allow this specific capability using: 

<features>
  <capabilities policy='default'>
    <sys_nice state='on'/>
  </capabilities>
</features>
This did not work either. So, what *is* the correct way to add capabilities to a container? 



_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux