On Sat, 3 Feb 2007 13:57:53 +0100
"Jean-Michel Caricand" <jean-michel.caricand@laposte.net> wrote:
> I use this path and this kernel : vs2.0.2.1, 2.6.17.13
>
> On my guest (lifc-svnlmd) :
> -------------------------
>
> lifc-svnlmd:/# mount
> /dev/hdv1 on / type ufs (defaults)
> none on /proc type proc (0)
> none on /tmp type tmpfs (size=16m,mode=1777)
> none on /dev/pts type devpts (gid=5,mode=620)
> lifc-svnlmd:/#
>
> lifc-svnlmd:/# cat /proc/mounts
> rootfs / rootfs rw 0 0
> /dev/root / ext3 rw,data=ordered 0 0
> none /proc proc rw,nodiratime 0 0
> none /tmp tmpfs rw,nodev 0 0
> none /dev/pts devpts rw 0 0
> lifc-svnlmd:/#
>
> lifc-svnlmd:/# export LC_ALL=C LANG=C
> lifc-svnlmd:/# touch /tmp/toto; setfacl -m u:root:rxw /tmp/toto
> setfacl: /tmp/toto: Operation not supported
> lifc-svnlmd:/#
>
> Apparently, I can't use ACL in my guest. I am surprised
> because I can use ACL on the host (the root filesystem for the
> guest is mounted with ACL support on the host).
>
> On my host (lifcsys3) :
> ---------------------
>
> lifcsys3:~# mount
> /dev/hda3 on / type ext3 (rw,errors=remount-ro)
> proc on /proc type proc (rw)
> sysfs on /sys type sysfs (rw)
> devpts on /dev/pts type devpts (rw,gid=5,mode=620)
> tmpfs on /dev/shm type tmpfs (rw)
> /dev/hda2 on /boot type ext3 (rw)
> /dev/mapper/host-usr on /usr type ext3 (rw)
> /dev/mapper/host-var on /var type ext3 (rw)
> /dev/mapper/host-lifc--webmail on
> /var/lib/vservers/lifc-webmail type ext3 (rw)
> /dev/mapper/host-lifc--glpi on /var/lib/vservers/lifc-glpi
> type ext3 (rw)
> /dev/mapper/host-lifc--darkvador on
> /var/lib/vservers/lifc-darkvador type ext3 (rw)
> usbfs on /proc/bus/usb type usbfs (rw)
> /dev/mapper/host-lifc--svnlmd on /var/lib/vservers/lifc-svnlmd
> type ext3 (rw,acl)
> lifcsys3:~#
>
> lifcsys3:~# cat /proc/mounts
> rootfs / rootfs rw 0 0
> /dev2/root2 / ext3 rw,data=ordered 0 0
> proc /proc proc rw,nodiratime 0 0
> sysfs /sys sysfs rw 0 0
> devpts /dev/pts devpts rw 0 0
> tmpfs /dev/shm tmpfs rw 0 0
> /dev/hda2 /boot ext3 rw,data=ordered 0 0
> /dev/mapper/host-usr /usr ext3 rw,data=ordered 0 0
> /dev/mapper/host-var /var ext3 rw,data=ordered 0 0
> /dev/host/lifc-webmail /var/lib/vservers/lifc-webmail ext3
> rw,data=ordered 0 0
> /dev/host/lifc-glpi /var/lib/vservers/lifc-glpi ext3
> rw,data=ordered 0 0
> /dev/host/lifc-darkvador /var/lib/vservers/lifc-darkvador ext3
> rw,data=ordered 0 0
> usbfs /proc/bus/usb usbfs rw 0 0
> /dev/host/lifc-svnlmd /var/lib/vservers/lifc-svnlmd ext3
> rw,data=ordered 0 0
> lifcsys3:~#
>
> lifcsys3:~# setfacl -m u:testuser:rwx
> /var/lib/vservers/lifc-svnlmd/tmp/toto
> lifcsys3:~# getfacl /var/lib/vservers/lifc-svnlmd/tmp/toto
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/vservers/lifc-svnlmd/tmp/toto
> # owner: root
> # group: root
> user::rw-
> user:testuser:rwx
> group::r--
> mask::rwx
> other::r--
>
> lifcsys3:~#
>
> If it's possible to use ACL in a guest, where is my error ?
the difference is due to namespaces.
when you write to /var/lib/vservers/lifc-svnlmd/tmp/ from context 0, you
are writing to the device /dev/host/lifc-svnlmd.
when you write to /tmp from the context of the guest, you are writing to
the tmpfs.
the tmpfs was mounted from the context of the guest, so context 0 (the
"host" or any other context) cannot see the mounted filesystem. instead,
the host is writing to the original filesystem, not the mounted filesystem
as it cannot see it.
but of course since the tmpfs filesystem is mounted within the context of
the guest, the guest can see and write to it. but the tmpfs was not
mounted with ACL support (if tmpfs even supports ACLs), so the guest cannot
use ACLs on the tmpfs, ie /tmp. trying using ACLs somewhere else within
the guest and it should work.
to better illustrate the point, do this:
host# vserver guest start
host# vserver guest enter
guest# mkdir /tmp/foo
guest# touch /tmp/foo/bar
guest# vserver guest exit
host# ls -al /var/lib/vservers/guest/tmp/
host# touch /var/lib/vservers/guest/tmp/foo/bar
the last command should generate an error for obvious reasons (after you
analyze the output of "ls -al" for the tmp directory and realize the "foo"
directory you created within the guest is not there, or at least not
visible/accessible from the host).
this is no different than on a non-vserver host creating files within a
directory that serves as a mountpoint, then mounting a filesystem at that
mountpoint. the files you created within the directory are still there
(under the newly mounted filesystem), but you cannot see them. as soon as
you unmount the filesystem, you will again see the files within the
mountpoint directory. the only difference is with vserver both the
mountpoint directory and the newly mounted filesystem are accessible at the
same time, just within different namespaces/contexts (host and guest).
it's all about different namespaces. (and it really gets ugly when you
have to create a lvm snapshot within the context of the host, but mount it
within the context of several running guests, because you have to
separately mount it within every guest's namespace; see the "vnamespace"
command.)
hope that helps clear things up.
btw, i hate that useless default 16 MB tmpfs mount within the guests and
removing it from /etc/vservers/guest/fstab is one of the first things i do
upon creating a new guest. is there some way to override the default (ie
is there a default fstab somewhere; yeah, i know, i'm lazy ;-).
corey
-- undefined@pobox.com _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserverReceived on Sat Feb 3 17:09:29 2007