Re: Fw:Re: [Vserver] ACL on guest:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: Fw:Re: [Vserver] ACL on guest

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Mon 05 Feb 2007 - 05:05:43 GMT
Message-ID: <20070205050543.GD12992@MAIL.13thfloor.at>

On Sat, Feb 03, 2007 at 09:17:21PM +0100, Jean-Michel Caricand wrote:
> > On Sat, 3 Feb 2007 13:57:53 +0100
> > "Jean-Michel Caricand" <jean-michel.caricand@laposte.net> wrote:
> >
> > > I use this path and this kernel : vs2.0.2.1, 2.6.17.13
> > >
> > > On my guest (lifc-svnlmd) :
> > > -------------------------
> > >
> > > lifc-svnlmd:/# mount
> > > /dev/hdv1 on / type ufs (defaults)
> > > none on /proc type proc (0)
> > > none on /tmp type tmpfs (size=16m,mode=1777)
> > > none on /dev/pts type devpts (gid=5,mode=620)
> > > lifc-svnlmd:/#
> > >
> > > lifc-svnlmd:/# cat /proc/mounts
> > > rootfs / rootfs rw 0 0
> > > /dev/root / ext3 rw,data=ordered 0 0
> > > none /proc proc rw,nodiratime 0 0
> > > none /tmp tmpfs rw,nodev 0 0
> > > none /dev/pts devpts rw 0 0
> > > lifc-svnlmd:/#
> > >
> > > lifc-svnlmd:/# export LC_ALL=C LANG=C
> > > lifc-svnlmd:/# touch /tmp/toto; setfacl -m u:root:rxw
> /tmp/toto
> > > setfacl: /tmp/toto: Operation not supported
> > > lifc-svnlmd:/#
> > >
> > > Apparently, I can't use ACL in my guest. I am surprised
> > > because I can use ACL on the host (the root filesystem for the
> > > guest is mounted with ACL support on the host).
> > >
> > > On my host (lifcsys3) :
> > > ---------------------
> > >
> > > lifcsys3:~# mount
> > > /dev/hda3 on / type ext3 (rw,errors=remount-ro)
> > > proc on /proc type proc (rw)
> > > sysfs on /sys type sysfs (rw)
> > > devpts on /dev/pts type devpts (rw,gid=5,mode=620)
> > > tmpfs on /dev/shm type tmpfs (rw)
> > > /dev/hda2 on /boot type ext3 (rw)
> > > /dev/mapper/host-usr on /usr type ext3 (rw)
> > > /dev/mapper/host-var on /var type ext3 (rw)
> > > /dev/mapper/host-lifc--webmail on
> > > /var/lib/vservers/lifc-webmail type ext3 (rw)
> > > /dev/mapper/host-lifc--glpi on /var/lib/vservers/lifc-glpi
> > > type ext3 (rw)
> > > /dev/mapper/host-lifc--darkvador on
> > > /var/lib/vservers/lifc-darkvador type ext3 (rw)
> > > usbfs on /proc/bus/usb type usbfs (rw)
> > > /dev/mapper/host-lifc--svnlmd on /var/lib/vservers/lifc-svnlmd
> > > type ext3 (rw,acl)
> > > lifcsys3:~#
> > >
> > > lifcsys3:~# cat /proc/mounts
> > > rootfs / rootfs rw 0 0
> > > /dev2/root2 / ext3 rw,data=ordered 0 0
> > > proc /proc proc rw,nodiratime 0 0
> > > sysfs /sys sysfs rw 0 0
> > > devpts /dev/pts devpts rw 0 0
> > > tmpfs /dev/shm tmpfs rw 0 0
> > > /dev/hda2 /boot ext3 rw,data=ordered 0 0
> > > /dev/mapper/host-usr /usr ext3 rw,data=ordered 0 0
> > > /dev/mapper/host-var /var ext3 rw,data=ordered 0 0
> > > /dev/host/lifc-webmail /var/lib/vservers/lifc-webmail ext3
> > > rw,data=ordered 0 0
> > > /dev/host/lifc-glpi /var/lib/vservers/lifc-glpi ext3
> > > rw,data=ordered 0 0
> > > /dev/host/lifc-darkvador /var/lib/vservers/lifc-darkvador ext3
> > > rw,data=ordered 0 0
> > > usbfs /proc/bus/usb usbfs rw 0 0
> > > /dev/host/lifc-svnlmd /var/lib/vservers/lifc-svnlmd ext3
> > > rw,data=ordered 0 0
> > > lifcsys3:~#
> > >
> > > lifcsys3:~# setfacl -m u:testuser:rwx
> > > /var/lib/vservers/lifc-svnlmd/tmp/toto
> > > lifcsys3:~# getfacl /var/lib/vservers/lifc-svnlmd/tmp/toto
> > > getfacl: Removing leading '/' from absolute path names
> > > # file: var/lib/vservers/lifc-svnlmd/tmp/toto
> > > # owner: root
> > > # group: root
> > > user::rw-
> > > user:testuser:rwx
> > > group::r--
> > > mask::rwx
> > > other::r--
> > >
> > > lifcsys3:~#
> > >
> > > If it's possible to use ACL in a guest, where is my error ?
> >
> > the difference is due to namespaces.
> >
> > when you write to /var/lib/vservers/lifc-svnlmd/tmp/ from
> context 0, you
> > are writing to the device /dev/host/lifc-svnlmd.
> >
> > when you write to /tmp from the context of the guest, you
> are writing to
> > the tmpfs.
> >
> > the tmpfs was mounted from the context of the guest, so
> context 0 (the
> > "host" or any other context) cannot see the mounted
> filesystem. instead,
> > the host is writing to the original filesystem, not the
> mounted filesystem
> > as it cannot see it.
> >
> > but of course since the tmpfs filesystem is mounted within
> the context of
> > the guest, the guest can see and write to it. but the tmpfs
> was not
> > mounted with ACL support (if tmpfs even supports ACLs), so
> the guest cannot
> > use ACLs on the tmpfs, ie /tmp. trying using ACLs somewhere
> else within
> > the guest and it should work.
> >
> > to better illustrate the point, do this:
> >
> > host# vserver guest start
> > host# vserver guest enter
> > guest# mkdir /tmp/foo
> > guest# touch /tmp/foo/bar
> > guest# vserver guest exit
> > host# ls -al /var/lib/vservers/guest/tmp/
> > host# touch /var/lib/vservers/guest/tmp/foo/bar
> >
> > the last command should generate an error for obvious
> reasons (after you
> > analyze the output of "ls -al" for the tmp directory and
> realize the "foo"
> > directory you created within the guest is not there, or at
> least not
> > visible/accessible from the host).
> >
> > this is no different than on a non-vserver host creating
> files within a
> > directory that serves as a mountpoint, then mounting a
> filesystem at that
> > mountpoint. the files you created within the directory are
> still there
> > (under the newly mounted filesystem), but you cannot see
> them. as soon as
> > you unmount the filesystem, you will again see the files
> within the
> > mountpoint directory. the only difference is with vserver
> both the
> > mountpoint directory and the newly mounted filesystem are
> accessible at the
> > same time, just within different namespaces/contexts (host
> and guest).
> >
> > it's all about different namespaces. (and it really gets
> ugly when you
> > have to create a lvm snapshot within the context of the
> host, but mount it
> > within the context of several running guests, because you
> have to
> > separately mount it within every guest's namespace; see the
> "vnamespace"
> > command.)
> >
> > hope that helps clear things up.
> >
> > btw, i hate that useless default 16 MB tmpfs mount within
> the guests and
> > removing it from /etc/vservers/guest/fstab is one of the
> first things i do
> > upon creating a new guest. is there some way to override
> the default (ie
> > is there a default fstab somewhere; yeah, i know, i'm lazy ;-).
> >
> > corey
> > --
> > undefined@pobox.com
> > _______________________________________________
> > Vserver mailing list
> > Vserver@list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
> >
>
> Hi corey,
>
> Your explanation are very clear. I made a mistake when I chose
> /tmp directory to test setfacl !
>
> As you tell, setfacl works fine on another directory (I tested
> on /opt in my guest).

enabling ACLs (kernel config) for TMPFS will also
allow those on the /tmp, given that your kernel
is recent enough to _have_ that option :)

> Thank again for the long explanation.
>
> Jean-Michel Caricand
> mail : jean-michel.caricand@laposte.net

please try to fix your mailer and posting style
when you're at it in regards of ...

 - bottom/top posting
 - referenced mail IDs on replies

TIA,
Herbert

> Envoyez vos cartes de voeux depuis www.laposte.net
> Elles seront ensuite distribuées par le facteur : pratique et malin !
>
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Mon Feb 5 05:43:58 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 05 Feb 2007 - 05:44:49 GMT by hypermail 2.1.8