On 29.03.2017 [03:19:16 -0000], Serge Hallyn wrote:
> Thanks, Nish. My thoughts:
>
> 1.a sounds good
Ack.
> 1.b i'd like another way to do that, but not sure what a better way would
> be.
Yeah, I spent some time looking at the CPC generater and it seems like
this is pretty hard-coded:
999-cpc-fixes.chroot:
## --------------
# for maverick and newer, use LABEL= for the '/' entry in fstab
if [ -n "${root_fs_label}" ]; then
bl="[:blank:]"
lstr="LABEL=${root_fs_label}"
sed -i "s,^[^#${bl}]*\([${bl}]*/[${bl}].*\),${lstr}\1," "${rootd}/etc/fstab"
fi
cat > /etc/fstab << EOM
LABEL=cloudimg-rootfs / ext4 defaults 0 0
EOM
> 1.c does lvm also fail in privileged containers? I can see no use to
> running it (for now) in an unprivileged container, so the same solution
> as 1.a seems reasonable.
It also fails in privileged containers in the same way (see 2.b in
comment 20). Note that it works if I manually start the socket after
boot.
> 1.d
> CAP_ADMIN_READ is not a real capability. So if 1.d is fixed by that,
> then something else is wrong.
Right, follow-on comments indicated it was a thinko on my part. I think
it make sense, based upon the context in the audit bug that perhaps we
just don't do auditing in unprivileged containers (similar to the 1.a
change)?
On 29.03.2017 [03:19:16 -0000], Serge Hallyn wrote:
> Thanks, Nish. My thoughts:
>
> 1.a sounds good
Ack.
> 1.b i'd like another way to do that, but not sure what a better way would
> be.
Yeah, I spent some time looking at the CPC generater and it seems like
this is pretty hard-coded:
999-cpc- fixes.chroot: "LABEL= ${root_ fs_label} " ${bl}]* \([${bl} ]*/[${bl} ].*\),$ {lstr}\ 1," "${rootd} /etc/fstab" rootfs / ext4 defaults 0 0
## --------------
# for maverick and newer, use LABEL= for the '/' entry in fstab
if [ -n "${root_fs_label}" ]; then
bl="[:blank:]"
lstr=
sed -i "s,^[^#
fi
cat > /etc/fstab << EOM
LABEL=cloudimg-
EOM
> 1.c does lvm also fail in privileged containers? I can see no use to
> running it (for now) in an unprivileged container, so the same solution
> as 1.a seems reasonable.
It also fails in privileged containers in the same way (see 2.b in
comment 20). Note that it works if I manually start the socket after
boot.
> 1.d
> CAP_ADMIN_READ is not a real capability. So if 1.d is fixed by that,
> then something else is wrong.
Right, follow-on comments indicated it was a thinko on my part. I think
it make sense, based upon the context in the audit bug that perhaps we
just don't do auditing in unprivileged containers (similar to the 1.a
change)?