Just for the record - the default is to only return user.* xattrs, -m gives a different pattern to use, since you wanted to see a security.*
-serge On Mon, Jun 08, 2020 at 09:46:07PM +0200, Ede Wolf wrote: > That was it! > > > # getfattr -d -m '.*' /usr/bin/newuidmap > getfattr: Removing leading '/' from absolute path names > # file: usr/bin/newuidmap > security.capability=0sAQAAAoAAAAAAAAAAAAAAAAAAAAA= > > I have not fully comprehended, what -m '.*' does, but the security > capability was missing on the new drive, while being existent on the old > one. > > Reinstalled shadow and that brought back the capabilites, as rsync with -X > would not have wanted to recopy the files, and the container boot again > without the need to adding capabilities in the unit file > > Thanky very much! > > Time to figure out, what other files I might have missed. > > > Am 08.06.20 um 18:13 schrieb Serge E. Hallyn: > > Note sure what you mean - I think you're asking which files? > > /usr/bin/newuidmap and /usr/bin/newgidmap may have been installed > > with file caps (although on mine it is just setuid-root) > > > > On Mon, Jun 08, 2020 at 05:14:52PM +0200, Ede Wolf wrote: > > > Thanks! That may be quite a hint! I've used -avlW, but not -X. As I've > > > never > > > intentionally messed with xattrs, I've completely missed those. > > > > > > Where would those attributes have been stored? Running a dryrun with > > > added X > > > does not obviously seem to reveal anything. > > > > > > > > > > > > > > > Am 08.06.20 um 16:36 schrieb Serge E. Hallyn: > > > > On Mon, Jun 08, 2020 at 04:20:07PM +0200, Ede Wolf wrote: > > > > > Hi, > > > > > > > > > > So I've migrated my whole system via rsync from f2fs to btrfs on a new > > > > > drive, and, after rebooting, all my unpriviledged lxc containers > > > > > refused to > > > > > start. > > > > > > > > > > Example: > > > > > > > > > > > > > > > lxc-start ... ERROR conf - conf.c:lxc_map_ids:2779 - newuidmap > > > > > failed to > > > > > write mapping "newuidmap: Could not set caps": newuidmap 2413 0 > > > > > 4000000 1 1 > > > > > 4000001 65534 > > > > > lxc-start ... ERROR start - start.c:lxc_spawn:1690 - Failed to set > > > > > up id > > > > > mapping. > > > > > > > > > > > > > > > Granting more rights after some searching in their unit files: > > > > > > > > > > > > > > > AmbientCapabilities=CAP_SETGID > > > > > AmbientCapabilities=CAP_SETUID > > > > > > > > > > > > > > > made them work again. Being curios, I then booted from the old f2fs > > > > > drive > > > > > again and the containers are coming up without above capability > > > > > additions. > > > > > > > > > > Back to btrfs and those are needed. > > > > > > > > > > Any idea, what may be going on here? > > > > > > > > How did you migrate the fs? rsync for instance would need -X > > > > to preserve xattrs, which is how posix file capabilities are > > > > stored. > > > > _______________________________________________ > > > > lxc-users mailing list > > > > lxc-users@lists.linuxcontainers.org > > > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > > > > > > > > _______________________________________________ > > > lxc-users mailing list > > > lxc-users@lists.linuxcontainers.org > > > http://lists.linuxcontainers.org/listinfo/lxc-users > > _______________________________________________ > > lxc-users mailing list > > lxc-users@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
