Re: [Qgis-developer] docker container: unshare namespace (sysadmin talk)

2013-11-18 Thread Tim Sutton 
HI


On Mon, Nov 18, 2013 at 9:49 PM, Matthias Kuhn  wrote:

> I hope we have some experienced sysadmins here on the list who can bring
> light into the dark.
>
> The situation is
>
> I try to build rpms for fedora/centos on our shiny new server where we
> have docker.io set up, so we can easily create multiple containers for
> the different tasks the server will run. So I have created a container
> based on centos and installed mock (the tool fedora uses for packaging).
>
> However, running mock (inside the container) fails:
>
>   ERROR: Namespace unshare failed.
>
> As far as I can tell, mock needs the "unshare" system call to create a
> new mountpoint inside the process, where it can create a virtual build
> environment. But calling namespace with CLONE_NEWNS fails with EPERM.
> The manpage states:
>
>EPERM  flags specified CLONE_NEWNS but  the  calling  process
> was  not
>   privileged (did not have the CAP_SYS_ADMIN capability).
>
> Trying to change this capability of the binary does not work, although
> we are root inside the container, so I guess this kind of capabilities
> gets inherited from my non-privileged user on the host itself. I assume
> (untested) that the following command would fix this issue:
>
> sudo lxc-docker run centos/qgis-nightly setcap cap_sys_admin+ep
> /usr/sbin/mock
>
> I would be very happy, if somebody with server administration and
> especially capabilities experience could let me know, if this is a safe
> thing and the right to do in order to solve this problem, because to me
> this is all still black magic.
>
> Regards
> Matthias
>

I reckon since you are just bringing up your container, building your
package and then bringing it down without hosting any public service from
the container itself  (correct?) , its probably fine.

Regards

Tim


-- 
Tim Sutton - QGIS Project Steering Committee Member
==
Visit http://linfiniti.com to find out about:
 * QGIS programming services
 * GeoDjango web development
 * FOSS Consulting Services
Skype: timlinux Irc: timlinux on #qgis at freenode.net
==
___
Qgis-developer mailing list
Qgis-developer@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/qgis-developer

[Qgis-developer] docker container: unshare namespace (sysadmin talk)

2013-11-18 Thread Matthias Kuhn 
I hope we have some experienced sysadmins here on the list who can bring
light into the dark.

The situation is

I try to build rpms for fedora/centos on our shiny new server where we
have docker.io set up, so we can easily create multiple containers for
the different tasks the server will run. So I have created a container
based on centos and installed mock (the tool fedora uses for packaging).

However, running mock (inside the container) fails:

  ERROR: Namespace unshare failed.

As far as I can tell, mock needs the "unshare" system call to create a
new mountpoint inside the process, where it can create a virtual build
environment. But calling namespace with CLONE_NEWNS fails with EPERM.
The manpage states:

   EPERM  flags specified CLONE_NEWNS but  the  calling  process 
was  not
  privileged (did not have the CAP_SYS_ADMIN capability).

Trying to change this capability of the binary does not work, although
we are root inside the container, so I guess this kind of capabilities
gets inherited from my non-privileged user on the host itself. I assume
(untested) that the following command would fix this issue:

sudo lxc-docker run centos/qgis-nightly setcap cap_sys_admin+ep
/usr/sbin/mock

I would be very happy, if somebody with server administration and
especially capabilities experience could let me know, if this is a safe
thing and the right to do in order to solve this problem, because to me
this is all still black magic.

Regards
Matthias
___
Qgis-developer mailing list
Qgis-developer@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/qgis-developer