I'm using libvirt_lxc to create and manage various containers. I need to
enable certain capabilities in a container to support ctdb, and as a
quick solution I decided to just enable them all. I *thought* this would
do the trick, adding the following XML to my container config:
<features>
<capabilities policy='allow'>
</capabilities>
</features>
After adding this to my container, I restarted it and tried to start the
ctdb service again:
# systemctl start ctdb.service
Job for ctdb.service failed. See 'systemctl status ctdb.service' and
'journalctl -xn' for details.
# systemctl status ctdb.service
ctdb.service - CTDB
Loaded: loaded (/usr/lib/systemd/system/ctdb.service; disabled)
Active: failed (Result: exit-code) since Tue 2015-08-04 14:10:39
PDT; 8s ago
Process: 4612 ExecStart=/usr/sbin/ctdbd_wrapper /run/ctdb/ctdbd.pid
start (code=exited, status=1/FAILURE)
Aug 04 14:10:37 pws-01 systemd[1]: Starting CTDB...
Aug 04 14:10:37 pws-01 ctdbd[4629]: CTDB starting on node
Aug 04 14:10:37 pws-01 ctdbd[4631]: Starting CTDBD (Version 2.5.4) as
PID: 4631
Aug 04 14:10:37 pws-01 ctdbd[4631]: Created PID file /run/ctdb/ctdbd.pid
Aug 04 14:10:37 pws-01 ctdbd[4631]: Unable to set scheduler to
SCHED_FIFO (Operation not permitted)
Aug 04 14:10:37 pws-01 ctdbd[4631]: CTDB daemon shutting down
Aug 04 14:10:39 pws-01 ctdbd_wrapper[4612]: CTDB exited during
initialisation - check logs.
Aug 04 14:10:39 pws-01 systemd[1]: ctdb.service: control process exited,
code=exited status=1
Aug 04 14:10:39 pws-01 systemd[1]: Failed to start CTDB.
Aug 04 14:10:39 pws-01 systemd[1]: Unit ctdb.service entered failed state.
This implies that the container still doesn't have access to the
capabilities it needs to use. I believe this error in fact is caused by
the container not having the sys_nice capability. So I tried to allow
this specific capability using:
<features>
<capabilities policy='default'>
<sys_nice state='on'/>
</capabilities>
</features>
This did not work either. So, what *is* the correct way to add
capabilities to a container?
Peter Steele
2015-Aug-08 17:12 UTC
Re: [libvirt-users] Enabling capabilities in a container
There's no out there who can comment on this? Surely there must be a way to solve this problem for libvirt lxc based containers. Peter On 08/04/2015 03:44 PM, Peter Steele wrote:> I'm using libvirt_lxc to create and manage various containers. I need > to enable certain capabilities in a container to support ctdb, and as > a quick solution I decided to just enable them all. I *thought* this > would do the trick, adding the following XML to my container config: > > <features> > <capabilities policy='allow'> > </capabilities> > </features> > > After adding this to my container, I restarted it and tried to start > the ctdb service again: > > # systemctl start ctdb.service > Job for ctdb.service failed. See 'systemctl status ctdb.service' and > 'journalctl -xn' for details. > > # systemctl status ctdb.service > ctdb.service - CTDB > Loaded: loaded (/usr/lib/systemd/system/ctdb.service; disabled) > Active: failed (Result: exit-code) since Tue 2015-08-04 14:10:39 > PDT; 8s ago > Process: 4612 ExecStart=/usr/sbin/ctdbd_wrapper /run/ctdb/ctdbd.pid > start (code=exited, status=1/FAILURE) > > Aug 04 14:10:37 pws-01 systemd[1]: Starting CTDB... > Aug 04 14:10:37 pws-01 ctdbd[4629]: CTDB starting on node > Aug 04 14:10:37 pws-01 ctdbd[4631]: Starting CTDBD (Version 2.5.4) as > PID: 4631 > Aug 04 14:10:37 pws-01 ctdbd[4631]: Created PID file /run/ctdb/ctdbd.pid > Aug 04 14:10:37 pws-01 ctdbd[4631]: Unable to set scheduler to > SCHED_FIFO (Operation not permitted) > Aug 04 14:10:37 pws-01 ctdbd[4631]: CTDB daemon shutting down > Aug 04 14:10:39 pws-01 ctdbd_wrapper[4612]: CTDB exited during > initialisation - check logs. > Aug 04 14:10:39 pws-01 systemd[1]: ctdb.service: control process > exited, code=exited status=1 > Aug 04 14:10:39 pws-01 systemd[1]: Failed to start CTDB. > Aug 04 14:10:39 pws-01 systemd[1]: Unit ctdb.service entered failed > state. > > This implies that the container still doesn't have access to the > capabilities it needs to use. I believe this error in fact is caused > by the container not having the sys_nice capability. So I tried to > allow this specific capability using: > > <features> > <capabilities policy='default'> > <sys_nice state='on'/> > </capabilities> > </features> > > This did not work either. So, what *is* the correct way to add > capabilities to a container? >