PLDWWW: Vserver
arekm
arekm at pld-linux.org
Wed Jun 25 12:41:31 CEST 2008
Author: arekm Date: Wed Jun 25 10:41:31 2008 GMT
Module: PLDWWW URL: http://www.pld-linux.org/Vserver?action=diff&rev2=112&rev1=111
---- Log message:
---- Page affected: Vserver
---- Diffs:
================================================================
{{{
echo "~single_ip" >> /etc/vservers/xyz/nflags
+ }}}
+
+ === SMACK enabled kernels ===
+
+ Smack enabled kernels (in PLD default kernel >= 2.6.25) use security.SMACK64 to store some data. Unfortunately vserver by default doesn't allow to change xattr. This can lead to problems like this:
+
+ {{{
+ # pwconv
+ Cannot set attribute security.SMACK64 for `/etc/passwd.tmpbPZiEN': Operation not permitted
+ Error while converting `root' to shadow account.
+ }}}
+
+ There are two solutions for this. First enables setfcap capability (NOTE: it enables in guest much more than is needed by smack so consider security implications for that):
+
+ {{{
+ echo SETFCAP >> /etc/vservers/xyz/bcapabilities
+ }}}
+
+ Second one is disabling SMACK if not needed. This can be done by using kernel boot command line option:
+
+ {{{
+ security=FIXME
}}}
More information about the pld-cvs-commit
mailing list