[Qgis-developer] docker container: unshare namespace (sysadmin talk)

[Matthias Kuhn]

I hope we have some experienced sysadmins here on the list who can bring
light into the dark.

The situation is

I try to build rpms for fedora/centos on our shiny new server where we
have docker.io set up, so we can easily create multiple containers for
the different tasks the server will run. So I have created a container
based on centos and installed mock (the tool fedora uses for packaging).

However, running mock (inside the container) fails:

  ERROR: Namespace unshare failed.

As far as I can tell, mock needs the "unshare" system call to create a
new mountpoint inside the process, where it can create a virtual build
environment. But calling namespace with CLONE_NEWNS fails with EPERM.
The manpage states:

       EPERM  flags specified CLONE_NEWNS but  the  calling  process 
was  not
              privileged (did not have the CAP_SYS_ADMIN capability).

Trying to change this capability of the binary does not work, although
we are root inside the container, so I guess this kind of capabilities
gets inherited from my non-privileged user on the host itself. I assume
(untested) that the following command would fix this issue:

sudo lxc-docker run centos/qgis-nightly setcap cap_sys_admin+ep
/usr/sbin/mock

I would be very happy, if somebody with server administration and
especially capabilities experience could let me know, if this is a safe
thing and the right to do in order to solve this problem, because to me
this is all still black magic.

Regards
Matthias