On Mon, Mar 13, 2006 at 12:02:42PM +1000, Russell Kliese wrote:
> Herbert Poetzl wrote:
>
> >On Sun, Mar 12, 2006 at 12:26:43PM +1000, Russell Kliese wrote:
> >
> >
> >>>>$NICE is set to 10 in /etc/updatedb.conf, so -n ${NICE:-10} is the same
> >>>>as
> >>>>-n 0.
> >>>>
> >>>>
> >>>>
> >>>In a shell script? Doesn't ":-" set a default value if the variable is
> >>>not already set?
> >>>
> >>>
> >>Yes, my mistake. With $NICE being 10, the priority in this cause would be
> >>incremented by 10 (i.e. lowered).
> >>
> >>Anyway, this is an aside. Even when running nice without the -n option
> >>still causes problems.
> >>
> >>
> >
> >hmm, two things:
> >
> >a) could you strace -fF -o nice.trace the nice command as is?
> >
> >
> I ran strace with the following 2 commands:
>
> strace -fF -o /tmp/normal.trace su nobody
> strace -fF -o /tmp/nice.trace nice su nobody
>
> I then removed the first columns in the trace outputs (it just contains
> the PIDs?) and diffed the outputs:
>
> diff normal2.trace nice2.trace. I've attached the output (I snipped off
> stuff at the end of the normal2.trace that I didn't think was important).
good idea, but next time use -u (unified diff), because
that's usually simpler to read :)
> To me it looks like su tries to set the PRIO_PROCESS priority to 0 after
> nice has set the PRIO_PROCESS priority to 10, causing the permission
> denied error. Is this what su is supposed to do? If so, then using nice
> would have no benefit in the script it is being used in if su is going
> to set the priority back to 0 anyway.
>
> Have I interpreted this correctly?
yep, seems so. raising the nice value is currently
forbidden, but you can try the igneg_nice flag
(http://linux-vserver.org/Caps+and+Flags) which
might actually give the desired result ...
> >b) what does your ulimit -a show on the host and guest?
> >
> ulimit -a outputs the same on both the guest and host:
>
> core file size (blocks, -c) 0
> data seg size (kbytes, -d) unlimited
> file size (blocks, -f) unlimited
> max locked memory (kbytes, -l) unlimited
> max memory size (kbytes, -m) unlimited
> open files (-n) 1024
> pipe size (512 bytes, -p) 8
> stack size (kbytes, -s) 8192
> cpu time (seconds, -t) unlimited
> max user processes (-u) unlimited
> virtual memory (kbytes, -v) unlimited
there should be a max-nice values here too, but
most likely tools are behind kernel devel atm
and it isn't relevant in your case either ...
> Thanks for your help so far,
you're welcome!
best,
Herbert
> Regards,
>
> Russell
>
> >>>>>>>>>>>>Would enabling CAP_SYS_NICE help in this case even though a
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>lower
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>priority is being set? Or is there something else causing
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>this
> >>>>
> >>>>
> >>>>>>>>>>problem?
> >>>>>>>>>>
>
>
> --
>
> <http://www.eminence.com.au/> Eminence Technology Pty Ltd
> PO Box 118, Moorooka QLD 4105
> Web: www.eminence.com.au <http://www.eminence.com.au/>
> Ph: +61-7-3277-4100
> Fax: +61-7-3105-7484
>
> 0a1,36
> > execve("/usr/bin/nice", ["nice", "su", "nobody"], [/* 16 vars */]) = 0
> > uname({sys="Linux", node="secure", ...}) = 0
> > brk(0) = 0x505000
> > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a9556a000
> > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
> > open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
> > open("/etc/ld.so.cache", O_RDONLY) = 3
> > fstat(3, {st_mode=S_IFREG|0644, st_size=21397, ...}) = 0
> > mmap(NULL, 21397, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a9556b000
> > close(3) = 0
> > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
> > open("/lib/libc.so.6", O_RDONLY) = 3
> > read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\324"..., 640) = 640
> > fstat(3, {st_mode=S_IFREG|0755, st_size=1295328, ...}) = 0
> > mmap(NULL, 2354760, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2a9566c000
> > mprotect(0x2a9578e000, 1166920, PROT_NONE) = 0
> > mmap(0x2a9586c000, 241664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x100000) = 0x2a9586c000
> > mmap(0x2a958a7000, 15944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2a958a7000
> > close(3) = 0
> > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a958ab000
> > arch_prctl(0x1002, 0x2a958ab640) = 0
> > munmap(0x2a9556b000, 21397) = 0
> > open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
> > fstat(3, {st_mode=S_IFREG|0644, st_size=290512, ...}) = 0
> > mmap(NULL, 290512, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a9556b000
> > close(3) = 0
> > brk(0) = 0x505000
> > brk(0x526000) = 0x526000
> > brk(0) = 0x526000
> > getpriority(PRIO_PROCESS, 0) = 20
> > setpriority(PRIO_PROCESS, 0, 10) = 0
> > execve("/usr/local/sbin/su", ["su", "nobody"], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
> > execve("/usr/local/bin/su", ["su", "nobody"], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
> > execve("/usr/sbin/su", ["su", "nobody"], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
> > execve("/usr/bin/su", ["su", "nobody"], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
> > execve("/sbin/su", ["su", "nobody"], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
> 299c335
> < getpid() = 6203
> ---
> > getpid() = 6216
> 304c340
> < sendto(3, "<86>Mar 13 11:36:35 su[6203]: + "..., 49, 0, NULL, 0) = 49
> ---
> > sendto(3, "<86>Mar 13 11:42:04 su[6216]: + "..., 49, 0, NULL, 0) = 49
> 354c390
> < getpid() = 6203
> ---
> > getpid() = 6216
> 356c392
> < sendto(3, "<38>Mar 13 11:36:35 su[6203]: (p"..., 86, 0, NULL, 0) = 86
> ---
> > sendto(3, "<38>Mar 13 11:42:04 su[6216]: (p"..., 86, 0, NULL, 0) = 86
> 396,400c432,442
> < setpriority(PRIO_PROCESS, 0, 0) = 0
> < setuid(65534) = 0
> < close(3) = 0
> < execve("/bin/sh", ["sh"], [/* 16 vars */]) = 0
> < =========== snip ==============
> ---
> > setpriority(PRIO_PROCESS, 0, 0) = -1 EACCES (Permission denied)
> > getpid() = 6216
> > rt_sigaction(SIGPIPE, {0x2a95a7b4f0, [], 0x4000000}, {SIG_DFL}, 8) = 0
> > sendto(3, "<83>Mar 13 11:42:04 su[6216]: pa"..., 66, 0, NULL, 0) = 66
> > rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
> > write(2, "su: Permission denied\n", 22) = 22
> > munmap(0x2a96122000, 1053392) = 0
> > munmap(0x2a96244000, 1146800) = 0
> > munmap(0x2a9635c000, 1062280) = 0
> > munmap(0x2a96466000, 1063096) = 0
> > exit_group(0x1, 0x1, 0x2a95be7530, 0x2a95be8e08, 0x2a95cef090 <unfinished ... exit status 1>
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Mon Mar 13 05:42:16 2006