That was it!
# getfattr -d -m '.*' /usr/bin/newuidmap
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/newuidmap
security.capability=0sAQAAAoAAAAAAAAAAAAAAAAAAAAA=
I have not fully comprehended, what -m '.*' does, but the security
capability was missing on the new drive, while being existent on the old
one.
Reinstalled shadow and that brought back the capabilites, as rsync with
-X would not have wanted to recopy the files, and the container boot
again without the need to adding capabilities in the unit file
Thanky very much!
Time to figure out, what other files I might have missed.
Am 08.06.20 um 18:13 schrieb Serge E. Hallyn:
Note sure what you mean - I think you're asking which files?
/usr/bin/newuidmap and /usr/bin/newgidmap may have been installed
with file caps (although on mine it is just setuid-root)
On Mon, Jun 08, 2020 at 05:14:52PM +0200, Ede Wolf wrote:
Thanks! That may be quite a hint! I've used -avlW, but not -X. As I've never
intentionally messed with xattrs, I've completely missed those.
Where would those attributes have been stored? Running a dryrun with added X
does not obviously seem to reveal anything.
Am 08.06.20 um 16:36 schrieb Serge E. Hallyn:
On Mon, Jun 08, 2020 at 04:20:07PM +0200, Ede Wolf wrote:
Hi,
So I've migrated my whole system via rsync from f2fs to btrfs on a new
drive, and, after rebooting, all my unpriviledged lxc containers refused to
start.
Example:
lxc-start ... ERROR conf - conf.c:lxc_map_ids:2779 - newuidmap failed to
write mapping "newuidmap: Could not set caps": newuidmap 2413 0 4000000 1 1
4000001 65534
lxc-start ... ERROR start - start.c:lxc_spawn:1690 - Failed to set up id
mapping.
Granting more rights after some searching in their unit files:
AmbientCapabilities=CAP_SETGID
AmbientCapabilities=CAP_SETUID
made them work again. Being curios, I then booted from the old f2fs drive
again and the containers are coming up without above capability additions.
Back to btrfs and those are needed.
Any idea, what may be going on here?
How did you migrate the fs? rsync for instance would need -X
to preserve xattrs, which is how posix file capabilities are
stored.
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
