Re: [Vserver] how to set capabilities in Debian:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [Vserver] how to set capabilities in Debian

From: Wilhelm Meier <wilhelm.meier_at_fh-kl.de>
Date: Wed 27 Sep 2006 - 10:54:40 BST
Message-Id: <200609271154.40952.wilhelm.meier@fh-kl.de>

Am Dienstag, 26. September 2006 18:05 schrieb Herbert Poetzl:
> On Tue, Sep 26, 2006 at 11:50:57AM +0200, Wilhelm Meier wrote:
> > Am Dienstag, 26. September 2006 11:10 schrieb Jim Wight:
> > > On Sat, 2006-09-23 at 18:40 +0200, Herbert Poetzl wrote:
> > > > c) why would you want to add CAP_SYS_ADMIN to a guest?
> > >
> > > Taking 'you' in the sense of 'anyone', I would say for NFS.
> > >
> > > I don't want to hijack this thread, so can I refer you to one
> > > started by Wilhelm Meier on 13th Sep entitled 'How do I nfs-mount
> > > inside a vserver?', and which has gone quiet without being resolved.
> >
> > Thank you for reactivating!
>
> it was not forgot, it is on my todo list ...
>
> unfortunately I have no test systems available
> ATM to test an nfs setup, but I will try to
> recreate the setup with a QEMU network shortly
>
> > > I have never
> > > been able to get NFS to work without using CAP_SYS_ADMIN, even after
> > > upgrading to 2.6.17.11-vs2.0.2/0.30.210,
> >
> > Seems to be still impossible in dev-branch vs2.1.1 (BINARY_MOUNT
> > should do the job but doesn't)
>
> in general, the answers to the following questions
> could be very helpful:
>
> - what NFS version and tcp or udp?
> - what is the actual error you get?
> - tcpdump of the ongoing negotiation?
> - logs on both, client and filer with the
> appropriate sysctl debug options enabled
> sunrpc.nfsd_debug (filer)
> sunrpc.nfs_debug (client)
> sunrpc.rpc_debug (both)

O.k., here comes the information:

On the NFS-Server (h242-meier):

H242-meier vserver.nfs # rpcinfo -p
   program vers proto port
    100000 2 tcp 111 portmapper
    100000 2 udp 111 portmapper
    100024 1 udp 33321 status
    100024 1 tcp 32804 status
    100011 1 udp 4003 rquotad
    100011 2 udp 4003 rquotad
    100011 1 tcp 4003 rquotad
    100011 2 tcp 4003 rquotad
    100003 2 udp 2049 nfs
    100003 3 udp 2049 nfs
    100003 4 udp 2049 nfs
    100003 2 tcp 2049 nfs
    100003 3 tcp 2049 nfs
    100003 4 tcp 2049 nfs
    100021 1 udp 33322 nlockmgr
    100021 3 udp 33322 nlockmgr
    100021 4 udp 33322 nlockmgr
    100021 1 tcp 32805 nlockmgr
    100021 3 tcp 32805 nlockmgr
    100021 4 tcp 32805 nlockmgr
    100005 1 udp 772 mountd
    100005 1 tcp 775 mountd
    100005 2 udp 772 mountd
    100005 2 tcp 775 mountd
    100005 3 udp 772 mountd
    100005 3 tcp 775 mountd
H242-meier vserver.nfs # sysctl -a | grep sun
error: "Operation not permitted" reading key "net.ipv4.route.flush"
sunrpc.tcp_slot_table_entries = 16
sunrpc.udp_slot_table_entries = 16
sunrpc.nlm_debug = 0
sunrpc.nfsd_debug = 1
sunrpc.nfs_debug = 0
sunrpc.rpc_debug = 1
H242-meier vserver.nfs #

extracted from the log on the nfs-server when the vs tries to mount:

Sep 27 11:46:42 H242-meier device vmnet1 entered promiscuous mode
Sep 27 11:46:58 H242-meier rpc.mountd: MNT3(/home) called
Sep 27 11:46:58 H242-meier rpc.mountd: authenticated mount request from
vs01:637 for /home (/home)
Sep 27 11:46:58 H242-meier rpc.mountd: MNT1(/home) called
Sep 27 11:46:58 H242-meier rpc.mountd: authenticated mount request from
vs01:641 for /home (/home)
Sep 27 11:47:07 H242-meier device vmnet1 left promiscuous mode

The tcpdump of the conversation is in the attached file.

The error inside the vs (vs01) is the following:

vs01 / # mount 192.168.39.1:/home /home -o nolock,tcp
mount: permission denied
vs01 / #

The trace of this command:

vs01 / # strace mount 192.168.39.1:/home /home -o nolock,tcp
execve("/bin/mount",
["mount", "192.168.39.1:/home", "/home", "-o", "nolock,tcp"], [/* 26 vars
*/]) = 0
uname({sys="Linux", node="vs01", ...}) = 0
brk(0) = 0x8063000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=12117, ...}) = 0
mmap2(NULL, 12117, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f76000
close(3) = 0
open("/lib/libblkid.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\35\0"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=28764, ...}) = 0
mmap2(NULL, 30740, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7f6e000
mmap2(0xb7f75000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x6) = 0xb7f75000
close(3) = 0
open("/lib/libuuid.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\n\0"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=9600, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f6d000
mmap2(NULL, 11544, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7f6a000
mmap2(0xb7f6c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x1) = 0xb7f6c000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240T\1"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1220000, ...}) = 0
mmap2(NULL, 1158452, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7e4f000
mmap2(0xb7f64000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x115) = 0xb7f64000
mmap2(0xb7f68000, 7476, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7f68000
close(3) = 0
mprotect(0xb7f64000, 4096, PROT_READ) = 0
mprotect(0xb7f8c000, 4096, PROT_READ) = 0
munmap(0xb7f76000, 12117) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\253\221&]", 4) = 4
close(3) = 0
brk(0) = 0x8063000
brk(0x8084000) = 0x8084000
open("/dev/null", O_RDWR|O_LARGEFILE) = 3
close(3) = 0
getuid32() = 0
geteuid32() = 0
getgid32() = 0
getegid32() = 0
prctl(0x3, 0x20, 0xbfa9e438, 0x5, 0xbfa9e5f4) = 1
open("/etc/blkid.tab", O_RDONLY) = -1 ENOENT (No such file or
directory)
getuid32() = 0
geteuid32() = 0
lstat64("/etc/mtab", {st_mode=S_IFREG|0644, st_size=298, ...}) = 0
stat64("192.168.39.1:/home", 0xbfa9e390) = -1 ENOENT (No such file or
directory)
stat64("/sbin/mount.nfs", 0xbfa9e280) = -1 ENOENT (No such file or
directory)
uname({sys="Linux", node="vs01", ...}) = 0
time(NULL) = 1159350230
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
getpid() = 11488
bind(3, {sa_family=AF_INET, sin_port=htons(640),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
gettimeofday({1159350230, 520698}, NULL) = 0
write(3, "\200\0\0(0\316\275\314\0\0\0\0\0\0\0\2\0\1\206\240\0\0"..., 44) = 44
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(3, "\0\0\1\2140\316\275\314\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0"..., 500) =
500
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(3, "\0\0\0\2\0\0\0\6\0\0\3\7\0\0\0\1\0\1\206\245\0\0\0\3\0"..., 500) = 56
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(641),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(775),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
uname({sys="Linux", node="vs01", ...}) = 0
geteuid32() = 0
getegid32() = 0
getgroups32(0, NULL) = 11
getgroups32(11, [0, 1, 2, 3, 4, 6, 10, 11, 20, 26, 27]) = 11
gettimeofday({1159350230, 534062}, NULL) = 0
write(3, "\200\0\0x@c\201\306\0\0\0\0\0\0\0\2\0\1\206\245\0\0\0\3"..., 124) =
124
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 20000) = 1
read(3, "\200\0\0008@c\201\306\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4000) =
60
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(642),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 5
bind(5, {sa_family=AF_INET, sin_port=htons(643),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(5, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
write(5, "\200\0\0008&\357\246\230\0\0\0\0\0\0\0\2\0\1\206\240\0"..., 60) = 60
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(5, "\200\0\0\34&\357\246\230\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 400) = 32
close(5) = 0
uname({sys="Linux", node="vs01", ...}) = 0
close(3) = 0
close(3) = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, ~[TRAP SEGV], NULL, 8) = 0
mount("192.168.39.1:/home", "/home", "nfs", MS_MGC_VAL, "\4") = -1 EPERM
(Operation not permitted)
rt_sigprocmask(SIG_UNBLOCK, ~[TRAP SEGV], NULL, 8) = 0
time(NULL) = 1159350230
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(644),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
write(3, "\200\0\0(\36\375\36\7\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0"..., 44) =
44
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(3, "\0\0\1\214\36\375\36\7\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0"..., 500) =
500
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(3, "\0\0\0\2\0\0\0\6\0\0\3\7\0\0\0\1\0\1\206\245\0\0\0\3\0"..., 500) = 56
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(645),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(775),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
uname({sys="Linux", node="vs01", ...}) = 0
geteuid32() = 0
getegid32() = 0
getgroups32(0, NULL) = 11
getgroups32(11, [0, 1, 2, 3, 4, 6, 10, 11, 20, 26, 27]) = 11
gettimeofday({1159350230, 584829}, NULL) = 0
write(3, "\200\0\0xi\245\311\16\0\0\0\0\0\0\0\2\0\1\206\245\0\0\0"..., 124) =
124
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 20000) = 1
read(3, "\200\0\0<i\245\311\16\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4000) =
64
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 5
bind(5, {sa_family=AF_INET, sin_port=htons(646),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
bind(6, {sa_family=AF_INET, sin_port=htons(647),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
write(6, "\200\0\0008d\271\204X\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0"..., 60) =
60
poll([{fd=6, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(6, "\200\0\0\34d\271\204X\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 400) =
32
close(6) = 0
uname({sys="Linux", node="vs01", ...}) = 0
close(3) = 0
close(3) = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, ~[TRAP SEGV], NULL, 8) = 0
mount("192.168.39.1:/home", "/home", "nfs", MS_MGC_VAL, "\3") = -1 EPERM
(Operation not permitted)
rt_sigprocmask(SIG_UNBLOCK, ~[TRAP SEGV], NULL, 8) = 0
geteuid32() = 0
stat64("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
write(2, "mount: permission denied\n", 25mount: permission denied
) = 25
exit_group(32) = ?
Process 11488 detached
vs01 / #

On the vserver-host (gs) I get in the logs:

Sep 27 11:42:18 gs RPC: created transport ce916000 with 16 slots
Sep 27 11:42:18 gs RPC: xprt_create_proto created xprt ce916000
Sep 27 11:42:18 gs RPC: destroying transport ce916000
Sep 27 11:42:18 gs RPC: disconnected transport ce916000
Sep 27 11:42:18 gs nfs_create_client: cannot create RPC client. Error
= -829333504
Sep 27 11:42:18 gs RPC: created transport ce916000 with 16 slots
Sep 27 11:42:18 gs RPC: xprt_create_proto created xprt ce916000
Sep 27 11:42:18 gs RPC: destroying transport ce916000
Sep 27 11:42:18 gs RPC: disconnected transport ce916000
Sep 27 11:42:18 gs nfs_create_client: cannot create RPC client. Error
= -829333504
Sep 27 11:43:50 gs RPC: created transport ce916800 with 16 slots
Sep 27 11:43:50 gs RPC: xprt_create_proto created xprt ce916800
Sep 27 11:43:50 gs RPC: destroying transport ce916800
Sep 27 11:43:50 gs RPC: disconnected transport ce916800
Sep 27 11:43:50 gs nfs_create_client: cannot create RPC client. Error
= -829331456
Sep 27 11:43:50 gs RPC: created transport ce916800 with 16 slots
Sep 27 11:43:50 gs RPC: xprt_create_proto created xprt ce916800
Sep 27 11:43:50 gs RPC: destroying transport ce916800
Sep 27 11:43:50 gs RPC: disconnected transport ce916800
Sep 27 11:43:50 gs nfs_create_client: cannot create RPC client. Error
= -829331456
  
And here are the ccapabilities:

gs ~ # cd /etc/vservers/vs01/
gs vs01 # more ccapabilities
secure_mount
binary_mount
secure_remount

And the kernels:

The NFS-Server:

H242-meier vserver.nfs # uname -a
Linux H242-meier 2.6.14-gentoo-r5 #6 SMP PREEMPT Fri Apr 7 10:48:40 CEST 2006
i686 Intel(R) Pentium(R) M processor 1200MHz GNU/Linux
H242-meier vserver.nfs #

The VServer-host:
gs vs01 # uname -a
Linux gs 2.6.17-vs2.1.1-rc31-gentoo #3 SMP Fri Sep 15 12:06:37 CEST 2006 i686
Intel(R) Pentium(R) M processor 1200MHz GNU/Linux
gs vs01 #

O.k., thats it. If you need more, please contact me.

HTH,
Wilhelm

>
> TIA,
> Herbert
>
> > > and was on the point of raising the matter when that thread
> > > appeared. I too would like to know the circumstances under which NFS
> > > mounting can be achieved without resorting to CAP_SYS_ADMIN.
> > >
> > > Jim
>
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver 

-- 
Wilhelm Meier
email: wilhelm.meier@fh-kl.de

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Received on Wed Sep 27 10:51:50 2006
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 27 Sep 2006 - 10:51:58 BST by hypermail 2.1.8