Home » General » Support » *SOLVED* Problem starting VPS
| *SOLVED* Problem starting VPS [message #1605] |
Wed, 15 February 2006 14:49  |
Phoebus
Messages: 2
Registered: February 2006
|
Junior Member |
|
|
I installed VPS on debian, created template and when I try to run it I get this:
# vzctl start 1002
Starting VPS ...
VPS is mounted
Unable to set capability: Operation not permitted
Unable to set capability
VPS start failed
VPS is unmounted
#
I tried verbose:
Unable to open /usr/lib/vzctl/modules/: No such file or directory
Starting VPS ...
Running: /usr/sbin/vzquota show 1002
Running: /usr/sbin/vzquota on 1002 -r 0 -b 1048676 -B 1153534 -i 200100 -I 220100 -e 0 -n 0 -s 0
Mounting root: /vz/root/1002 /vz/private/1002
VPS is mounted
Unable to set capability: Operation not permitted
Unable to set capability
VPS start failed
Running: /usr/sbin/vzquota off 1002
Running: /usr/sbin/vzquota stat 1002 -f
VPS is unmounted
I tried tunning vzquota and it works OK. Any ideas how to fix it?
[Updated on: Wed, 09 August 2006 21:15] by Moderator Report message to a moderator |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Problem starting VPS [message #1842 is a reply to message #1841] |
Tue, 28 February 2006 14:12  |
dev
Messages: 1693
Registered: September 2005
Location: Moscow
|
Senior Member |
|
|
Can you try this debug patch please?
--- ./kernel/capability.c.capdbg 2006-02-28 16:09:25.000000000 +0300
+++ ./kernel/capability.c 2006-02-28 17:04:29.000000000 +0300
@@ -192,8 +192,12 @@ asmlinkage long sys_capset(cap_user_head
if (get_user(pid, &header->pid))
return -EFAULT;
- if (pid && pid != virt_pid(current) && !capable(CAP_SETPCAP))
+ if (pid && pid != virt_pid(current) && !capable(CAP_SETPCAP)) {
+ printk("capset: (%s): pid = %d, vpid = %d, caps=%08lx\n",
+ current->comm, pid, virt_pid(current),
+ current->cap_effective);
return -EPERM;
+ }
if (copy_from_user(&effective, &data->effective, sizeof(effective)) ||
copy_from_user(&inheritable, &data->inheritable, sizeof(inheritable)) ||
@@ -235,5 +239,9 @@ out:
read_unlock(&tasklist_lock);
spin_unlock(&task_capability_lock);
+ if (ret == -EPERM) {
+ printk("sys_capset: %s:%d, pid=%d\n",
+ current->comm, current->pid, pid);
+ }
return ret;
}
--- ./security/commoncap.c.capdbg 2006-02-28 16:09:25.000000000 +0300
+++ ./security/commoncap.c 2006-02-28 16:59:39.000000000 +0300
@@ -78,27 +78,49 @@ int cap_capget (struct task_struct *targ
int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
+ int ret;
+
/* Derived from kernel/capability.c:sys_capset. */
/* verify restrictions on target's new Inheritable set */
if (!cap_issubset (*inheritable,
cap_combine (target->cap_inheritable,
current->cap_permitted))) {
- return -EPERM;
+ ret = 1;
+ goto oops;
}
/* verify restrictions on target's new Permitted set */
if (!cap_issubset (*permitted,
cap_combine (target->cap_permitted,
current->cap_permitted))) {
- return -EPERM;
+ ret = 2;
+ goto oops;
}
/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
if (!cap_issubset (*effective, *permitted)) {
- return -EPERM;
+ ret = 3;
+ goto oops;
}
return 0;
+
+oops:
+ printk("cap_capset_check: %d (%s:%d), curcaps=%08lx:%08lx:%08lx, target (%s:%d) caps=%08lx:%08lx:%08lx, set %08lx:%08lx:%08lx\n",
+ ret,
+ current->comm, current->pid,
+ current->cap_effective,
+ current->cap_permitted,
+ current->cap_inheritable,
+ target->comm, target->pid,
+ target->cap_effective,
+ target->cap_permitted,
+ target->cap_inheritable,
+ *effective,
+ *permitted,
+ *inheritable
+ );
+ return -EPERM;
}
void cap_capset_set (struct task_struct *target, kernel_cap_t *effective,
--- ./security/dummy.c.capdbg 2006-01-03 06:21:10.000000000 +0300
+++ ./security/dummy.c 2006-02-28 17:00:37.000000000 +0300
@@ -56,6 +56,7 @@ static int dummy_capset_check (struct ta
kernel_cap_t * inheritable,
kernel_cap_t * permitted)
{
+ printk("dummy_capset_check: %s:%d\n", current->comm, current->pid);
return -EPERM;
}
--- ./security/selinux/hooks.c.capdbg 2006-02-28 16:09:25.000000000 +0300
+++ ./security/selinux/hooks.c 2006-02-28 17:02:41.000000000 +0300
@@ -1314,9 +1314,15 @@ static int selinux_capset_check(struct t
error = secondary_ops->capset_check(target, effective, inheritable, permitted);
if (error)
- return error;
+ goto err;
+
+ error = task_has_perm(current, target, PROCESS__SETCAP);
+ if (error)
+ goto err;
- return task_has_perm(current, target, PROCESS__SETCAP);
+ return 0;
+err:
+ printk("selinux_capset_check: %s:%d err=%d\n", current->comm, current->pid, error);
}
static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
Also I noted, that you have following config options, different from our config and potentially conflicting with virtualization:
CONFIG_SECURITY=y
CONFIG_AUDIT=y
please turn it off.
Maybe you can check the whole kernel with OVZ config?
|
|
|
|
|
|
|
|
|
|
Goto Forum:
Current Time: Mon Nov 11 11:27:59 GMT 2024
Total time taken to generate the page: 0.03524 seconds
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
. It's a bit weird for me now. Maybe the problem is in the hardware and not software related. I mean, that OpenVZ is not working for me on Athlon/Sempron CPU arch, only on Intel based systems.
