[systemd-commits] 2 commits - man/systemd-nspawn.xml src/nspawn
Lennart Poettering
lennart at kemper.freedesktop.org
Fri Jan 18 09:23:27 PST 2013
man/systemd-nspawn.xml | 18 ++++++++++--------
src/nspawn/nspawn.c | 4 +++-
2 files changed, 13 insertions(+), 9 deletions(-)
New commits:
commit 2b3987a863975f5a1fa1754725e3d07a5d4f6478
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Jan 18 18:22:55 2013 +0100
man: update suggested yum command line in nspawn(1)
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 2939951..777e0a3 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -298,13 +298,13 @@
<refsect1>
<title>Example 1</title>
- <programlisting># yum --releasever=17 --nogpgcheck --installroot ~/fedora-tree/ install yum passwd vim-minimal rootfiles systemd
-# systemd-nspawn -D ~/fedora-tree /usr/lib/systemd/systemd</programlisting>
+ <programlisting># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
+# systemd-nspawn -bD /srv/mycontainer</programlisting>
<para>This installs a minimal Fedora distribution into
- the directory <filename>~/fedora-tree/</filename>
- and then boots an OS in a namespace container in it,
- with systemd as init system.</para>
+ the directory <filename>/srv/mycontainer/</filename> and
+ then boots an OS in a namespace container in
+ it.</para>
</refsect1>
<refsect1>
commit 88d04e31ce0837ebf937ab46c3c39a0d93ab4c7c
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Jan 18 18:13:01 2013 +0100
nspawn: add audit caps to default set to keep
Due to the brokeness of much of the userspace audit code we cannot
really start too many systems without the audit caps set. To make nspawn
easier to use just add the audit caps by default.
To boot up containers successfully the kernel's auditing needs to be
turned off still (use "audit=0" on the kernel command line), but at
least no manual caps have to be passed anymore.
In the long run auditing will be fixed for containers and ve virtualized
properly at which time it should be safe to enable these caps anyway.
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index db2d417..2939951 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -227,8 +227,8 @@
list of capability names, see
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for more information. Note that the
- following capabilities will be
- granted in any way: CAP_CHOWN,
+ following capabilities will be granted
+ in any way: CAP_CHOWN,
CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
CAP_KILL, CAP_LEASE,
@@ -239,7 +239,9 @@
CAP_SETUID, CAP_SYS_ADMIN,
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
- CAP_SYS_RESOURCE, CAP_SYS_BOOT.</para></listitem>
+ CAP_SYS_RESOURCE, CAP_SYS_BOOT,
+ CAP_AUDIT_WRITE,
+ CAP_AUDIT_CONTROL.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 98b583d..62dc20d 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -96,7 +96,9 @@ static uint64_t arg_retain =
(1ULL << CAP_SYS_PTRACE) |
(1ULL << CAP_SYS_TTY_CONFIG) |
(1ULL << CAP_SYS_RESOURCE) |
- (1ULL << CAP_SYS_BOOT);
+ (1ULL << CAP_SYS_BOOT) |
+ (1ULL << CAP_AUDIT_WRITE) |
+ (1ULL << CAP_AUDIT_CONTROL);
static int help(void) {
More information about the systemd-commits
mailing list