Quoting T.C 吳天健 (tcwu2...@gmail.com): > I found some service in container's OS failed to start. The error message > is "execve permission denied". > Finally I chmod 755 to all directories from '/' to rootfs and problem > solved. For example, my container's rootfs is at /data/maru/con1, then > chmod 755 /data/maru; chmod 755 /data/maru/con1;chmod 755 > /data/maru/con1/rootfs. > But why? Since I am using root container, I expect that lxc and > /data/maru/con1/init have root privilege to do thing but apparently not...
Hi, it's been awhile since I've given this any thought. I assume that your root-owned container is unprivileged, and that lxc is trying to open the rootfs dir after unsharing the user namespace. /data/maru/con1/rootfs itself will have to be owned by the container root user, but we should be able to open an fd to that dir in the parent user namespace, and always opendir() from there. Hm, that won't suffice for pivot_root. So root would instead have to create a temporary mount namespace and mount the new root to /lxcroot. Then the container root could work from /lxcroot. I'm cc:ing lxc-devel in case someone feels inspired to do this, or at least open a github issue for it. I think it might be worth doing, at least optionally, as it it lets us keep a tighter lid on fs permissions. _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel