<div dir="ltr">HI<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Nov 18, 2013 at 9:49 PM, Matthias Kuhn <span dir="ltr"><<a href="mailto:matthias.kuhn@gmx.ch" target="_blank">matthias.kuhn@gmx.ch</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I hope we have some experienced sysadmins here on the list who can bring<br>
light into the dark.<br>
<br>
The situation is<br>
<br>
I try to build rpms for fedora/centos on our shiny new server where we<br>
have <a href="http://docker.io" target="_blank">docker.io</a> set up, so we can easily create multiple containers for<br>
the different tasks the server will run. So I have created a container<br>
based on centos and installed mock (the tool fedora uses for packaging).<br>
<br>
However, running mock (inside the container) fails:<br>
<br>
ERROR: Namespace unshare failed.<br>
<br>
As far as I can tell, mock needs the "unshare" system call to create a<br>
new mountpoint inside the process, where it can create a virtual build<br>
environment. But calling namespace with CLONE_NEWNS fails with EPERM.<br>
The manpage states:<br>
<br>
EPERM flags specified CLONE_NEWNS but the calling process<br>
was not<br>
privileged (did not have the CAP_SYS_ADMIN capability).<br>
<br>
Trying to change this capability of the binary does not work, although<br>
we are root inside the container, so I guess this kind of capabilities<br>
gets inherited from my non-privileged user on the host itself. I assume<br>
(untested) that the following command would fix this issue:<br>
<br>
sudo lxc-docker run centos/qgis-nightly setcap cap_sys_admin+ep<br>
/usr/sbin/mock<br>
<br>
I would be very happy, if somebody with server administration and<br>
especially capabilities experience could let me know, if this is a safe<br>
thing and the right to do in order to solve this problem, because to me<br>
this is all still black magic.<br>
<br>
Regards<br>
<span class=""><font color="#888888">Matthias<br></font></span></blockquote><div> </div></div>I reckon since you are just bringing up your container, building your package and then bringing it down without hosting any public service from the container itself (correct?) , its probably fine.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Regards</div><div class="gmail_extra"><br></div><div class="gmail_extra">Tim<br><br clear="all"><div><br></div>-- <br><div dir="ltr">Tim Sutton - QGIS Project Steering Committee Member<br>
==============================================<br>Visit <a href="http://linfiniti.com" target="_blank">http://linfiniti.com</a> to find out about:<br> * QGIS programming services<br> * GeoDjango web development<br> * FOSS Consulting Services<br>
Skype: timlinux Irc: timlinux on #qgis at <a href="http://freenode.net" target="_blank">freenode.net</a><br>==============================================</div>
</div></div>