[libvirt-users] Enabling capabilities in a container

Peter Steele psteele at peaxy.net
Sat Aug 8 17:12:56 UTC 2015 

There's no out there who can comment on this? Surely there must be a way 
to solve this problem for libvirt lxc based containers.

Peter

On 08/04/2015 03:44 PM, Peter Steele wrote:
> I'm using libvirt_lxc to create and manage various containers. I need 
> to enable certain capabilities in a container to support ctdb, and as 
> a quick solution I decided to just enable them all. I *thought* this 
> would do the trick, adding the following XML to my container config:
>
> <features>
>   <capabilities policy='allow'>
>   </capabilities>
> </features>
>
> After adding this to my container, I restarted it and tried to start 
> the ctdb service again:
>
> # systemctl start ctdb.service
> Job for ctdb.service failed. See 'systemctl status ctdb.service' and 
> 'journalctl -xn' for details.
>
> # systemctl status ctdb.service
> ctdb.service - CTDB
>    Loaded: loaded (/usr/lib/systemd/system/ctdb.service; disabled)
>    Active: failed (Result: exit-code) since Tue 2015-08-04 14:10:39 
> PDT; 8s ago
>   Process: 4612 ExecStart=/usr/sbin/ctdbd_wrapper /run/ctdb/ctdbd.pid 
> start (code=exited, status=1/FAILURE)
>
> Aug 04 14:10:37 pws-01 systemd[1]: Starting CTDB...
> Aug 04 14:10:37 pws-01 ctdbd[4629]: CTDB starting on node
> Aug 04 14:10:37 pws-01 ctdbd[4631]: Starting CTDBD (Version 2.5.4) as 
> PID: 4631
> Aug 04 14:10:37 pws-01 ctdbd[4631]: Created PID file /run/ctdb/ctdbd.pid
> Aug 04 14:10:37 pws-01 ctdbd[4631]: Unable to set scheduler to 
> SCHED_FIFO (Operation not permitted)
> Aug 04 14:10:37 pws-01 ctdbd[4631]: CTDB daemon shutting down
> Aug 04 14:10:39 pws-01 ctdbd_wrapper[4612]: CTDB exited during 
> initialisation - check logs.
> Aug 04 14:10:39 pws-01 systemd[1]: ctdb.service: control process 
> exited, code=exited status=1
> Aug 04 14:10:39 pws-01 systemd[1]: Failed to start CTDB.
> Aug 04 14:10:39 pws-01 systemd[1]: Unit ctdb.service entered failed 
> state.
>
> This implies that the container still doesn't have access to the 
> capabilities it needs to use. I believe this error in fact is caused 
> by the container not having the sys_nice capability. So I tried to 
> allow this specific capability using:
>
> <features>
>   <capabilities policy='default'>
>     <sys_nice state='on'/>
>   </capabilities>
> </features>
>
> This did not work either. So, what *is* the correct way to add 
> capabilities to a container?
>

More information about the libvirt-users mailing list