OpenVZ Forum


Home » General » Support » Cannot Start VE - Unable to set capability: Operation not permitted
Cannot Start VE - Unable to set capability: Operation not permitted [message #22548] Tue, 30 October 2007 17:44 Go to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

Hello,
I cannot start the VE, here some command:

[root@dedicated ~]# vzctl create 112 --ostemplate centos-4-i386-default
Unable to get full ostemplate name for centos-4-i386-default
Creating VE private area (centos-4-i386-default)
Performing postcreate actions
VE private area was created


[root@dedicated ~]# vzctl start 112
Starting VE ...
VE is mounted
Unable to set capability: Operation not permitted
Unable to set capability
VE start failed
VE is unmounted


Operating system is CentOS 4.5

[root@dedicated ~]# uname -a
Linux dedicated.d.net 2.6.18-8.1.14.el5.028stab045.1PAE #1 SMP Mon Oct 1 13:46:57 MSD 2007 i686 i686 i386 GNU/Linux



[Updated on: Tue, 30 October 2007 17:47]

Report message to a moderator

Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #22598 is a reply to message #22548] Wed, 31 October 2007 11:24 Go to previous messageGo to next message
Valmont is currently offline  Valmont
Messages: 225
Registered: September 2005
Senior Member

lcap?


http://forum.openvz.org/index.php?t=msg&goto=15594&& amp;srch=lcap#msg_15594
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #22619 is a reply to message #22598] Wed, 31 October 2007 15:50 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

how to remove this lcap ?

Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #22648 is a reply to message #22619] Thu, 01 November 2007 07:15 Go to previous messageGo to next message
Valmont is currently offline  Valmont
Messages: 225
Registered: September 2005
Senior Member
rpm -e lcap
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #22755 is a reply to message #22648] Fri, 02 November 2007 19:02 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

no rpm package found for lcap

Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #22809 is a reply to message #22755] Sun, 04 November 2007 09:52 Go to previous messageGo to next message
Valmont is currently offline  Valmont
Messages: 225
Registered: September 2005
Senior Member
Does selinux disabled ?
What tells
which lcap
?
Does /var/log/messages tells anything, when you try to start vps?

//also, do not forget update your kernel.
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #22812 is a reply to message #22548] Sun, 04 November 2007 15:42 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

selinux is disabled


[root@dedicated ~]# which lcap
/usr/bin/which: no lcap in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/courier-imap/ sbin:/usr/lib/courier-imap/bin:/usr/local/sbin:/usr/local/bi n:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin)


[root@dedicated ~]# vzctl start 100
Starting VE ...
VE is mounted
Unable to set capability: Operation not permitted
Unable to set capability
VE start failed
VE is unmounted


There is no error message in /var/log/messages


Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23156 is a reply to message #22812] Tue, 13 November 2007 20:23 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

any solutions for this issue ?

Thank you


Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23160 is a reply to message #23156] Tue, 13 November 2007 22:09 Go to previous messageGo to next message
Valmont is currently offline  Valmont
Messages: 225
Registered: September 2005
Senior Member
Do you compile kernel by your self?
If so, can you try use openvz team compiled kernel?
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23162 is a reply to message #23160] Tue, 13 November 2007 23:21 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

the kernel is from openvz,not compiled by me

Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23184 is a reply to message #23162] Wed, 14 November 2007 08:54 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Obviously you have some another utility that restricts capability.
Could You please show us 'cat /proc/self/status' output.
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23197 is a reply to message #23184] Wed, 14 November 2007 09:39 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

cat /proc/self/status
Name: cat
State: R (running)
SleepAVG: 88%
Tgid: 6080
Pid: 6080
PPid: 27585
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 256
Groups: 0 1 2 3 4 6 10
VmPeak: 50024 kB
VmSize: 50024 kB
VmLck: 0 kB
VmHWM: 448 kB
VmRSS: 448 kB
VmData: 200 kB
VmStk: 84 kB
VmExe: 20 kB
VmLib: 1280 kB
VmPTE: 24 kB
Threads: 1
SigQ: 0/8190
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
Cpus_allowed: 00f
Mems_allowed: 00000000,00000001
PaX: PeMRs


Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23199 is a reply to message #23197] Wed, 14 November 2007 09:52 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Hmm, are you sure that it was taken on openVZ kernel?
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23220 is a reply to message #23199] Wed, 14 November 2007 13:27 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

Linux localhost 2.6.18-8.1.14.el5.028stab045.1PAE #1 SMP Mon Oct 1 13:46:57 MSD 2007 i686 i686 i386 GNU/Linux

I used this kernel from openvz


Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23227 is a reply to message #23220] Wed, 14 November 2007 14:05 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
I'm sorry, but it doesn't look like openvz kernel.
Our kernel have a slightly different format:
# uname -a
Linux ts10 2.6.18-028stab049.1-PAE #1 SMP Thu Nov 8 19:53:27 MSK 2007
i686 i686 i386 GNU/Linux
[root@ts10 ~]# cat /proc/self/status
Name: cat
State: R (running)
SleepAVG: 78%
Tgid: 9079
Pid: 9079
PPid: 8411
TracerPid: 0
FNid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 256
Groups: 0 1 2 3 4 6 10
envID: 0
VPid: 9079
PNState: 0
StopState: 0
VmPeak: 3676 kB
VmSize: 3676 kB
VmLck: 0 kB
VmHWM: 428 kB
VmRSS: 428 kB
VmData: 156 kB
VmStk: 88 kB
VmExe: 16 kB
VmLib: 3404 kB
VmPTE: 32 kB
StaBrk: 0804d000 kB
Brk: 0826e000 kB
StaStk: bfa41da0 kB
ExecLim: ffffffff
Threads: 1
SigQ: 1/55296
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000000
SigCgt: 0000000000000000
SigSvd: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
Cpus_allowed: ffffffff
Mems_allowed: 1
TaskUB: 0.0
MMUB: 0.0

I would note that our kernels should have the following strings:
envID:
VPid:
TaskUB:

Your kernel doen't shows this strings but outputs etra line with
PaX: PeMRs

I'm very sorry, but could You please re-check the kernel on Your node?

thank you,
Vasily Averin
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23230 is a reply to message #23227] Wed, 14 November 2007 14:21 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

I just upgrade the kernel and below the result

Linux localhost 2.6.18-8.1.15.el5.028stab047.1PAE #1 SMP Tue Oct 23 15:48:28 MSD 2007 i686 i686 i386 GNU/Linux

[root@dedicated cache]# cat /proc/self/status
Name: cat
State: R (running)
SleepAVG: 78%
Tgid: 30986
Pid: 30986
PPid: 15060
TracerPid: 0
FNid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 256
Groups: 0 1 2 3 4 6 10
envID: 0
VPid: 30986
PNState: 0
StopState: 0
VmPeak: 3792 kB
VmSize: 3792 kB
VmLck: 0 kB
VmHWM: 376 kB
VmRSS: 376 kB
VmData: 148 kB
VmStk: 84 kB
VmExe: 16 kB
VmLib: 3528 kB
VmPTE: 24 kB
StaBrk: 0804d000 kB
Brk: 092d5000 kB
StaStk: bfbaa660 kB
Threads: 1
SigQ: 0/7679
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000000
SigCgt: 0000000000000000
SigSvd: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
Cpus_allowed: ffffffff
Mems_allowed: 1
TaskUB: 0
MMUB: 0


[root@dedicated cache]# vzctl create 100 --ostemplate centos-4-i386-default

Creating VE private area (centos-4-i386-default)
vzquota : (error) Quota on syscall for 100: File exists
vzquota on failed [3]
vzquota : (error) Quota is not running for id 100
Performing postcreate actions
VE private area was created
[root@dedicated cache]# vzctl start 100
Starting VE ...
vzquota : (error) Quota on syscall for 100: File exists
vzquota on failed [3]

So i set in file /etc/sysconfig/vz
DISK_QUOTA=no

now the result

[root@dedicated cache]# vzctl start 100
Starting VE ...
VE is mounted
Adding IP address(es): 209.250.234.166
Setting CPU units: 1000
Configure meminfo: 49152
File resolv.conf was modified
VE start in progress...

Anyway the ip address is needed set to the real ip address or network ip address class ?


Best Regards,
Joko Frank Octo


[Updated on: Wed, 14 November 2007 14:33]

Report message to a moderator

Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23266 is a reply to message #23230] Thu, 15 November 2007 06:48 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Sorry,
I do not understand your last question. To be accessible via network each VE should have its own IP, like a dedicated node.

thank you,
Vasily Averin
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23270 is a reply to message #23266] Thu, 15 November 2007 07:03 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

Sorry.

The question is how to make the VE is accessible from Internet and the Host node is accessible from VE.

I'm a little confuse with the tutorial in the openvz wiki about VE ip address, the ip address should be a local network class type ip or public ip address ?

Also the nameserver should be set in VE is ISP nameserver or the host node nameserver (since dns server is installed in host node)

Thank you


Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23275 is a reply to message #23270] Thu, 15 November 2007 07:56 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Most simplest way is to assign VE public IP.
However you can use private IP for VEs too:
http://wiki.openvz.org/Using_NAT_for_VE_with_private_IPs
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23276 is a reply to message #23275] Thu, 15 November 2007 08:10 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

Private IP is local network ip address ?

Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23282 is a reply to message #23276] Thu, 15 November 2007 08:42 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
yes
Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23287 is a reply to message #23282] Thu, 15 November 2007 08:54 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

[host-node] vzctl create 100 --ostemplate=debian-4.0-i386-minimal
[host-node] vzctl set 100 --ipadd 192.168.0.100 --save
[host-node] vzctl set 100 --nameserver 209.250.234.162 --save
[host-node] vzctl set 100 --hostname vps100 --save
[host-node] vzctl set 100 --netif_add eth0,00:0C:29:08:EE:48 --save
[host-node] vzctl start 100
[host-node] ifconfig veth101.0 0
[host-node] echo 1 > /proc/sys/net/ipv4/conf/veth100.0/forwarding
[host-node] echo 1 > /proc/sys/net/ipv4/conf/veth100.0/proxy_arp
[host-node] echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
[host-node] echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
[host-node] vzctl enter 100

[ve-100] ifcfg eth0 0
[ve-100] ifconfig eth0 192.168.0.99
[ve-100] route add default eth0
[ve-100] exit

[host-node] route add 192.168.0.99 dev veth100.0
[host-node] iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 209.250.234.162

[host-node] vzctl enter 100
[ve-100] ping jfoc.net --> the result is ping: unknown host jfoc.net


Above is an instruction i followed step-by-step, but still cannot access the Internet From VE


Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23290 is a reply to message #23287] Thu, 15 November 2007 09:37 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
JFOC wrote on Thu, 15 November 2007 11:54

[host-node] vzctl create 100 --ostemplate=debian-4.0-i386-minimal
[host-node] vzctl set 100 --ipadd 192.168.0.100 --save
[host-node] vzctl set 100 --nameserver 209.250.234.162 --save
[host-node] vzctl set 100 --hostname vps100 --save


I would note that it is enough for VE networking via venet interface
http://wiki.openvz.org/Virtual_network_device
veth interface is an alternative soulution, and you can not use it at all.
JFOC wrote on Thu, 15 November 2007 11:54

[host-node] vzctl set 100 --netif_add eth0,00:0C:29:08:EE:48 --save
[host-node] vzctl start 100
[host-node] ifconfig veth101.0 0
[host-node] echo 1 > /proc/sys/net/ipv4/conf/veth100.0/forwarding
[host-node] echo 1 > /proc/sys/net/ipv4/conf/veth100.0/proxy_arp
[host-node] echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
[host-node] echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
[host-node] vzctl enter 100

[ve-100] ifcfg eth0 0
[ve-100] ifconfig eth0 192.168.0.99
[ve-100] route add default eth0
[ve-100] exit

[host-node] route add 192.168.0.99 dev veth100.0


As I've explained above Veth interafce is not necessary, but
at this point you have configured veth interface too.

JFOC wrote on Thu, 15 November 2007 11:54

[host-node] iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 209.250.234.162


this rule means that all forwarded packets will have source ip=209.250.234.162. Is it your hardware node's IP?

JFOC wrote on Thu, 15 November 2007 11:54

[host-node] vzctl enter 100
[ve-100] ping jfoc.net --> the result is ping: unknown host jfoc.net

Above is an instruction i followed step-by-step, but still cannot access the Internet From VE

As far as I see you cannot translate jfoc.net name to IP. Are you sure that you have started nameserver on your hardware node? If not -- you can set to VE the same nameserver that uses your hardware node.

Then let's check the following:
- do you able to ping HW node from inside VE (by using its IP)?
- do you able to ping some external IP from inside VE?

thank you,
Vasily Averin

[Updated on: Thu, 15 November 2007 09:38]

Report message to a moderator

Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23293 is a reply to message #23290] Thu, 15 November 2007 09:58 Go to previous messageGo to next message
JFOC is currently offline  JFOC
Messages: 13
Registered: September 2007
Location: http://www.jfoc.net - htt...
Junior Member

Quote:


I would note that it is enough for VE networking via venet interface
http://wiki.openvz.org/Virtual_network_device
veth interface is an alternative soulution, and you can not use it at all.


Why i cannot use this ?

Quote:


this rule means that all forwarded packets will have source ip=209.250.234.162. Is it your hardware node's IP?


Yes that's 209.250.234.162 is my static ip for server

Quote:


As far as I see you cannot translate jfoc.net name to IP. Are you sure that you have started nameserver on your hardware node? If not -- you can set to VE the same nameserver that uses your hardware node.

Then let's check the following:
- do you able to ping HW node from inside VE (by using its IP)?
- do you able to ping some external IP from inside VE?


- Yes i'm sure the nameserver has been running well, because this is dedicated server for web hosting.
- I cannot ping HW node from Inside VE (using name / ip)
- I cannot ping any external IP from VE


Re: Cannot Start VE - Unable to set capability: Operation not permitted [message #23296 is a reply to message #23293] Thu, 15 November 2007 10:42 Go to previous message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
JFOC wrote on Thu, 15 November 2007 12:58

Quote:


I would note that it is enough for VE networking via venet interface
http://wiki.openvz.org/Virtual_network_device
veth interface is an alternative soulution, and you can not use it at all.


Why i cannot use this ?


Sorry my bad english, I mean that you have configured venet network interface and therefore using veth is not necessary.

JFOC wrote on Thu, 15 November 2007 12:58


- Yes i'm sure the nameserver has been running well, because this is dedicated server for web hosting.
- I cannot ping HW node from Inside VE (using name / ip)
- I cannot ping any external IP from VE

Hmm. Is eth0 interface up inside your VE?
Could you please show list of interfaces ("ip a l" output) and routing table inside your VE ("ip r l" output).

IMHO it make sense try to remove veth configuration and repeat your experiment.
Also you can give me acess permission for your node (via PM) and I'll try to investigate situation on your node.

[Updated on: Thu, 15 November 2007 10:42]

Report message to a moderator

Previous Topic: "vzctl stop" - hangs
Next Topic: May be a Bug
Goto Forum:
  


Current Time: Sat Nov 16 13:30:37 GMT 2024

Total time taken to generate the page: 0.03094 seconds