Re: Fw:Re: [Vserver] ACL on guest

From: Jean-Michel Caricand <jean-michel.caricand_at_laposte.net>
Date: Sat 03 Feb 2007 - 20:17:21 GMT
Message-Id: <JCWLOX$ED391FA4ADF34FEF80806EF4BB71AAB1@laposte.net>

> On Sat, 3 Feb 2007 13:57:53 +0100
> "Jean-Michel Caricand" <jean-michel.caricand@laposte.net> wrote:
>
> > I use this path and this kernel : vs2.0.2.1, 2.6.17.13
> >
> > On my guest (lifc-svnlmd) :
> > -------------------------
> >
> > lifc-svnlmd:/# mount
> > /dev/hdv1 on / type ufs (defaults)
> > none on /proc type proc (0)
> > none on /tmp type tmpfs (size=16m,mode=1777)
> > none on /dev/pts type devpts (gid=5,mode=620)
> > lifc-svnlmd:/#
> >
> > lifc-svnlmd:/# cat /proc/mounts
> > rootfs / rootfs rw 0 0
> > /dev/root / ext3 rw,data=ordered 0 0
> > none /proc proc rw,nodiratime 0 0
> > none /tmp tmpfs rw,nodev 0 0
> > none /dev/pts devpts rw 0 0
> > lifc-svnlmd:/#
> >
> > lifc-svnlmd:/# export LC_ALL=C LANG=C
> > lifc-svnlmd:/# touch /tmp/toto; setfacl -m u:root:rxw
/tmp/toto
> > setfacl: /tmp/toto: Operation not supported
> > lifc-svnlmd:/#
> >
> > Apparently, I can't use ACL in my guest. I am surprised
> > because I can use ACL on the host (the root filesystem for the
> > guest is mounted with ACL support on the host).
> >
> > On my host (lifcsys3) :
> > ---------------------
> >
> > lifcsys3:~# mount
> > /dev/hda3 on / type ext3 (rw,errors=remount-ro)
> > proc on /proc type proc (rw)
> > sysfs on /sys type sysfs (rw)
> > devpts on /dev/pts type devpts (rw,gid=5,mode=620)
> > tmpfs on /dev/shm type tmpfs (rw)
> > /dev/hda2 on /boot type ext3 (rw)
> > /dev/mapper/host-usr on /usr type ext3 (rw)
> > /dev/mapper/host-var on /var type ext3 (rw)
> > /dev/mapper/host-lifc--webmail on
> > /var/lib/vservers/lifc-webmail type ext3 (rw)
> > /dev/mapper/host-lifc--glpi on /var/lib/vservers/lifc-glpi
> > type ext3 (rw)
> > /dev/mapper/host-lifc--darkvador on
> > /var/lib/vservers/lifc-darkvador type ext3 (rw)
> > usbfs on /proc/bus/usb type usbfs (rw)
> > /dev/mapper/host-lifc--svnlmd on /var/lib/vservers/lifc-svnlmd
> > type ext3 (rw,acl)
> > lifcsys3:~#
> >
> > lifcsys3:~# cat /proc/mounts
> > rootfs / rootfs rw 0 0
> > /dev2/root2 / ext3 rw,data=ordered 0 0
> > proc /proc proc rw,nodiratime 0 0
> > sysfs /sys sysfs rw 0 0
> > devpts /dev/pts devpts rw 0 0
> > tmpfs /dev/shm tmpfs rw 0 0
> > /dev/hda2 /boot ext3 rw,data=ordered 0 0
> > /dev/mapper/host-usr /usr ext3 rw,data=ordered 0 0
> > /dev/mapper/host-var /var ext3 rw,data=ordered 0 0
> > /dev/host/lifc-webmail /var/lib/vservers/lifc-webmail ext3
> > rw,data=ordered 0 0
> > /dev/host/lifc-glpi /var/lib/vservers/lifc-glpi ext3
> > rw,data=ordered 0 0
> > /dev/host/lifc-darkvador /var/lib/vservers/lifc-darkvador ext3
> > rw,data=ordered 0 0
> > usbfs /proc/bus/usb usbfs rw 0 0
> > /dev/host/lifc-svnlmd /var/lib/vservers/lifc-svnlmd ext3
> > rw,data=ordered 0 0
> > lifcsys3:~#
> >
> > lifcsys3:~# setfacl -m u:testuser:rwx
> > /var/lib/vservers/lifc-svnlmd/tmp/toto
> > lifcsys3:~# getfacl /var/lib/vservers/lifc-svnlmd/tmp/toto
> > getfacl: Removing leading '/' from absolute path names
> > # file: var/lib/vservers/lifc-svnlmd/tmp/toto
> > # owner: root
> > # group: root
> > user::rw-
> > user:testuser:rwx
> > group::r--
> > mask::rwx
> > other::r--
> >
> > lifcsys3:~#
> >
> > If it's possible to use ACL in a guest, where is my error ?
>
> the difference is due to namespaces.
>
> when you write to /var/lib/vservers/lifc-svnlmd/tmp/ from
context 0, you
> are writing to the device /dev/host/lifc-svnlmd.
>
> when you write to /tmp from the context of the guest, you
are writing to
> the tmpfs.
>
> the tmpfs was mounted from the context of the guest, so
context 0 (the
> "host" or any other context) cannot see the mounted
filesystem. instead,
> the host is writing to the original filesystem, not the
mounted filesystem
> as it cannot see it.
>
> but of course since the tmpfs filesystem is mounted within
the context of
> the guest, the guest can see and write to it. but the tmpfs
was not
> mounted with ACL support (if tmpfs even supports ACLs), so
the guest cannot
> use ACLs on the tmpfs, ie /tmp. trying using ACLs somewhere
else within
> the guest and it should work.
>
> to better illustrate the point, do this:
>
> host# vserver guest start
> host# vserver guest enter
> guest# mkdir /tmp/foo
> guest# touch /tmp/foo/bar
> guest# vserver guest exit
> host# ls -al /var/lib/vservers/guest/tmp/
> host# touch /var/lib/vservers/guest/tmp/foo/bar
>
> the last command should generate an error for obvious
reasons (after you
> analyze the output of "ls -al" for the tmp directory and
realize the "foo"
> directory you created within the guest is not there, or at
least not
> visible/accessible from the host).
>
> this is no different than on a non-vserver host creating
files within a
> directory that serves as a mountpoint, then mounting a
filesystem at that
> mountpoint. the files you created within the directory are
still there
> (under the newly mounted filesystem), but you cannot see
them. as soon as
> you unmount the filesystem, you will again see the files
within the
> mountpoint directory. the only difference is with vserver
both the
> mountpoint directory and the newly mounted filesystem are
accessible at the
> same time, just within different namespaces/contexts (host
and guest).
>
> it's all about different namespaces. (and it really gets
ugly when you
> have to create a lvm snapshot within the context of the
host, but mount it
> within the context of several running guests, because you
have to
> separately mount it within every guest's namespace; see the
"vnamespace"
> command.)
>
> hope that helps clear things up.
>
> btw, i hate that useless default 16 MB tmpfs mount within
the guests and
> removing it from /etc/vservers/guest/fstab is one of the
first things i do
> upon creating a new guest. is there some way to override
the default (ie
> is there a default fstab somewhere; yeah, i know, i'm lazy ;-).
>
> corey
> --
> undefined@pobox.com
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
>

Hi corey,

Your explanation are very clear. I made a mistake when I chose
/tmp directory to test setfacl !

As you tell, setfacl works fine on another directory (I tested
on /opt in my guest).

Thank again for the long explanation.

Jean-Michel Caricand
mail : jean-michel.caricand@laposte.net
  Envoyez vos cartes de voeux depuis www.laposte.net
Elles seront ensuite distribuées par le facteur : pratique et malin !

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sat Feb 3 20:40:35 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 03 Feb 2007 - 20:40:41 GMT by hypermail 2.1.8