On 26.02.2014 17:59, Stephan Sachse wrote:
# chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer
you must "shift" the uids for the container 0 -> 666, 1 -> 667, 2 -> 668. there is a tool for this: uidmapshift
I prepared two containers, the first I used chown, in the second uidmapshift, here is the results. ./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer UIDs 666 - 666 GIDs 1001 - 2000 foo 28919 28917 0 14:42 ? 00:00:00 /sbin/init 747 28950 28919 0 14:42 ? 00:00:00 /bin/dbus-daemon ./uidmapshift -r /var/lib/libvirt/filesystems/test UIDs 888 - 1776 GIDs 1002 - 2001 foo1 29298 29296 0 14:45 ? 00:00:00 /sbin/init 969 29329 29298 0 14:45 ? 00:00:00 /bin/dbus-daemon As you can see root is mapped to foo or foo1 user and dbus user is mapped to 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) + uid=888(foo1)). Mapping looks properly. Why use uidmapshift ?, it still performs chown. Could you explain more?
some tools may not work, because of the missing file capabilities. chown removes all file capabilities! try ping as user inside the container. (missing file cap cap_net_admin,cap_net_raw)
# getcap /usr/bin/ping # ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms ^C --- localhost ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms Yes you are right, chown removed capabilities, but ping still works properly. -- Dariusz Michaluk Samsung R&D Institute Poland Samsung Electronics d.michaluk@samsung.com