1414371163 M * undefined Bertl: hmmm, why do we pass vx_info to render_cap_t (from task_cap() in fs/proc/array.c), but never use it?
1414371178 M * undefined just curious
1414371286 M * Bertl it was probably used at some point
1414371298 M * undefined yeah, i figured it was a remnant
1414371302 M * undefined but thought i would ask
1414371364 M * undefined ran across it while trying to figure out how to print caps in a printk to debug this capable(CAP_CONTEXT) failing after clone() with CLONE_NEWUSER
1414371421 M * undefined thought maybe it was because ns_capable was needed (instead of capable), but that didn't change anything
1414371434 M * Bertl I remember we had per context capabilities some time back
1414371446 M * Bertl we replaced that with the capability mask at some point
1414371451 M * undefined gotcha
1414371471 M * Bertl patches to clean such stuff up are always welcome, btw
1414371536 M * undefined hint noted ;)
1414371597 M * Bertl there was a point where we considered showing the masked caps instead of the normal cap system
1414371601 Q * fisted Remote host closed the connection
1414371611 M * Bertl i.e. cap & vx_bcaps
1414371617 J * fisted ~fisted@xdsl-87-78-229-84.netcologne.de
1414371661 M * Bertl while more accurate, this turned out to be sub-optimal, as most tools check for certain capabilities via proc, and thus complain instead of simply work
1414372071 M * undefined i see
1414374912 M * undefined Bertl: well, cap_effective is 0 after clone with CLONE_NEWUSER, so that explains the failure
1414374958 M * undefined now, why are we losing all capabilities when creating a new user namespace?
1414374975 M * Bertl no idea
1414375020 M * undefined oh, that was a rhetorical question (thinking "out loud")
1414375031 M * undefined and that's using current_cred(), so that should be within the new user namespace
1414375041 M * Bertl no problem :)
1414375219 M * undefined i have to reread the lwn.net article on user namespaces and see what happens when entering one
1414375241 M * undefined Bertl: would it hurt if we didn't use user namespaces, even if they were enabled?
1414375270 M * undefined that way people could still use them separately
1414375300 M * undefined though i'm not sure what the interaction would be if someone tried to use user namespaces (eg containers) in a vserver
1414375412 M * Bertl no problem with that
1414375421 M * Bertl it should even work with existing tools
1414375436 M * Bertl (check with daniel_hozac for details)
1414375533 M * undefined we wouldn't be "embracing" user namespaces, adding user namespace features to linux-vserver (ie user & group mapping), but simply allowing co-existance
1414375593 M * undefined like using linux-vserver and docker on the same server (theoretically)
1414375605 M * Bertl yeah, fine with me
1414375626 M * Bertl the main question is, how does it work in LXC for example?
1414375647 M * Bertl they have to get the capabilities somewhere, at least some no?
1414375712 M * undefined yes, but it might require user-space setup
1414375738 M * undefined defining user and guest mappings
1414375783 M * Bertl might be doable for util-vserver as well then
1414375810 M * undefined yes, i'm not saying it's impossible, but trying to crawl before i walk ;)
1414380238 M * undefined well, it's not the clone call because i have an example program that makes the same exact clone call as vspace and it retains capabilities (though also changed to uid and gid 65535, like vspace)
1414380271 M * undefined or at least it's not the clone call alone
1414380309 M * Bertl did you test it on the same kernel or a different one?
1414380315 M * undefined same
1414380332 M * undefined same login session even
1414380382 M * undefined insert obligatory message here to upgrade to the latest util-vserver
1414380385 M * undefined ;)
1414380531 M * Bertl okay, so just to recap, you are seeing two problems which might be related
1414380565 M * Bertl first, you don't have the necessary Linux-VServer capability, so the syscall switch fails with most commands
1414380601 M * Bertl and then you have a clone with user namespace, which drops all capabilities, including the Linux-VServer one, yes?
1414380619 M * undefined nope, same problem, cause & effect
1414380645 M * undefined the syscall switch fails *after* clone with user namespace because all capabilities are dropped
1414380677 M * Bertl but it works fine on a root logon?
1414380708 M * undefined no
1414380732 M * undefined "chcontext --xid 2 true" fails
1414380769 M * Bertl so the cap has been already dropped without Linux-VServer (userspace) being involved, yes?
1414380822 M * undefined still researching, but i think there's a vc_tag_migrate() before the clone()
1414380896 M * undefined ah, that's coming from the execution of vtag
1414381007 M * undefined wow, we really chain the util-vserver application executions (vtag ... -- vspace ... -- vcontext ... -- vspace ... -- vattribute ...)
1414381661 M * undefined chcontext calls vtag which calls tag_migrate() and executes vspace which calls get_space_default() and clone() and executes vcontext which calls get_version and get_vci which fail because of no caps
1414381801 M * undefined now daniel_hozac may call me an idiot for running 0.30.216-pre3054 and not the latest (which i'm currently reading/studying the source code for on github)
1414381812 M * undefined ;)
1414383114 M * Bertl I'm off to bed now ... good luck!
1414383139 M * Bertl and thanks for your time!
1414383143 N * Bertl Bertl_zZ
1414383436 Q * redhat Quit: No Ping reply in 180 seconds.
1414383460 J * redhat ~quassel@31.25.99.5
1414385017 M * undefined okay, i modified my test application (https://lwn.net/Articles/539941/) to act like vspace by calling clone() (though technically vspace calls the clone syscall directly where i call clone(), but the underlying clone syscall is the same as verified with strace) and execvp.
1414385216 M * undefined and i can duplicate the problem: all capabilities are dropped, but it occurs not after the clone, but after the exec
1414385251 Q * hparker Remote host closed the connection
1414385300 J * hparker ~hparker@0000fb24.user.oftc.net
1414385378 M * undefined okay, it's intentional
1414385383 M * undefined https://lkml.org/lkml/2014/4/23/162
1414385402 M * undefined your effective set is cleared if you uid is not 0 in the user namespace
1414385452 M * undefined upon entering the user namespace our euid and egid are set to 65534
1414385476 M * undefined but we retain all our capabilities until we exec
1414385506 M * undefined after execing we lose all our capabilities and no vserver syscalls work (even get_version and get_vci)
1414385561 M * undefined but i think if we set up a uid and gid mapping for the user namespace, then it'll work because we can enter the user namespace as root (uid 0) and retain our permissions after the exec
1414387899 Q * zerick Read error: Connection reset by peer
1414391538 J * Ghislain ~aqueos@adsl1.aqueos.com
1414402595 M * undefined daniel_hozac: here's my CLONE_NEWUSER test application: http://paste.linux-vserver.org/269168
1414402728 M * undefined though, as the aforementioned lwn.net article says, it's better to create the uid/gid mappings from the parent outside the user namespace, than inside, due to limitations (can only set mapping for that specific user), but the alternative required more programming than i cared to do, and my app is sufficient for testing
1414405044 N * ensc Guest3221
1414405054 J * ensc ~irc-ensc@p54ADEB03.dip0.t-ipconnect.de
1414405462 Q * Guest3221 Ping timeout: 480 seconds
1414407997 N * Bertl_zZ Bertl
1414407999 M * Bertl morning folks!
1414408294 M * Ghislain hello
1414409708 Q * Aiken Remote host closed the connection
1414412403 Q * PowerKe Quit: brb
1414412518 J * PowerKe ~tom@d515270C2.access.telenet.be
1414414801 Q * fisted Remote host closed the connection
1414414818 J * fisted ~fisted@xdsl-81-173-191-94.netcologne.de
1414415827 Q * ard Ping timeout: 480 seconds
1414416009 J * BenG ~bengreen@5751ac80.skybroadband.com
1414418031 Q * BenG Read error: Operation timed out
1414418090 J * BenG ~bengreen@5751ac80.skybroadband.com
1414418415 Q * BenG Quit: I Leave
1414422453 Q * tsam Ping timeout: 480 seconds
1414422521 J * tsam ~Hubert@kim.theocrite.org
1414422559 J * ard ~ard@shell3.kwaak.net
1414428629 J * zerick ~eocrospom@190.187.21.53
1414429631 J * bonbons ~bonbons@2001:a18:22d:6e01:596f:27b6:b757:bc7a
1414431891 Q * zerick Ping timeout: 480 seconds
1414432526 M * daniel_hozac undefined: yes, util-vserver isn't prepared for user namespaces.
1414432546 M * daniel_hozac i don't think anyone has actually tested to see what all is required.
1414432786 J * zerick ~eocrospom@190.117.185.146
1414433033 M * DoberMann go mumble sc2
1414433039 M * DoberMann wrong chan :/
1414433440 M * Bertl happens
1414435180 Q * sannes Remote host closed the connection
1414436091 J * hlew ~hlew@173-164-198-18-SFBA.hfc.comcastbusiness.net
1414436131 J * sannes ~ace@cm-84.208.138.68.getinternet.no
1414436515 J * Aiken ~Aiken@d63f.h.jbmb.net
1414436548 Q * Ghislain Quit: Leaving.
1414436717 Q * sannes Remote host closed the connection
1414436730 J * sannes ~ace@cm-84.208.138.68.getinternet.no
1414436960 Q * sannes Remote host closed the connection
1414436972 J * sannes ~ace@cm-84.208.138.68.getinternet.no
1414441234 Q * zerick Remote host closed the connection
1414442761 M * Bertl off to bed now ... have a good one everyone!
1414442766 N * Bertl Bertl_zZ
1414445987 Q * bonbons Quit: Leaving
1414447258 J * zerick ~eocrospom@190.117.185.146
1414447426 M * hlew Hello, I have a question about linux-vserver rlimits. I know that rlimits is deprecated for use with kernels > 2.6. Has the rlimit functionality been removed in favor of cgroups or do both methods still work?
1414447572 M * daniel_hozac it depends on the specific limit.