search for: sys_nic

I'm using libvirt_lxc and that has an XML based configuration. Based on what I've read, I think I need to add this to the ctdb container's config: <features> <capabilities policy='default'> <sys_nice state='on'/> </capabilities> </features> That didn't do the trick though. I need to figure out how to turn on all caps to see if that does the job. Peter On 08/04/2015 10:27 AM, Ralph Böhme wrote: > Hi Peter, > > On Tue, Aug 04, 2015 at 10:11:56AM -0700,...

We're transitioning from a VM based environment to one that uses LXC based containers running under CentOS 7. CTDB runs fine under our CentOS 7 VMs. The same packages running under LXC however seem to have issues: # systemctl start ctdb.service Job for ctdb.service failed. See 'systemctl status ctdb.service' and 'journalctl -xn' for details. # systemctl status ctdb.service

...4 14:10:39 pws-01 systemd[1]: Failed to start CTDB. Aug 04 14:10:39 pws-01 systemd[1]: Unit ctdb.service entered failed state. This implies that the container still doesn't have access to the capabilities it needs to use. I believe this error in fact is caused by the container not having the sys_nice capability. So I tried to allow this specific capability using: <features> <capabilities policy='default'> <sys_nice state='on'/> </capabilities> </features> This did not work either. So, what *is* the correct way to add capabilities to...

...032]: Starting CTDBD (Version 2.5.4) as PID: > > 9032 > > Aug 04 10:09:04 pws-01 ctdbd[9032]: Created PID file /run/ctdb/ctdbd.pid > > Aug 04 10:09:04 pws-01 ctdbd[9032]: Unable to set scheduler to SCHED_FIFO > > (Operation not permitted) > > your container is dopping sys_nice cap, fix the container config. Indeed, to make it more concrete, uncomment "lxc.cap.drop = sys_nice" (or so) in /var/lib/lxc/<container>/config. And more caps may occur. > On my Fedora LXC host Fedora host? -- interesting. :-) Cheers - Michael -------------- next part -----...

...d=2970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:system_dbusd_t:s0 key=(null (2) SELinux is preventing nm-system-setti (system_dbusd_t) "sys_nice" to <Unknown> (system_dbusd_t). SELinux denied access requested by nm-system-setti. It is not expected that this access is required by nm-system-setti and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is c...

...postqueue_exec_t; type postfix_public_t; type postfix_pipe_t; type sendmail_t; type sendmail_exec_t; type src_t; type tmp_t; type usr_t; type user_home_dir_t; type user_home_t; type var_log_t; class capability { sys_nice chown }; class file { append create execute execute_no_trans \ getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr create read remove_name \ rename write search setattr rmdir }; class fifo_file { getattr write };...

...Aug 04 10:09:04 pws-01 ctdbd[9032]: Starting CTDBD (Version 2.5.4) as PID: > 9032 > Aug 04 10:09:04 pws-01 ctdbd[9032]: Created PID file /run/ctdb/ctdbd.pid > Aug 04 10:09:04 pws-01 ctdbd[9032]: Unable to set scheduler to SCHED_FIFO > (Operation not permitted) your container is dopping sys_nice cap, fix the container config. On my Fedora LXC host this is done in a global include that is pulled into all containers by default. I simply gave all caps to the containers intended for ctdb and then it worked just fine. -Ralph -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-3...