From: https://www.google.com/accounts/o8/id?id=AItOawkcmdCG-CNsLiJihG5NpEzqu0TaD3s6P8Y Date: Sat, 7 Feb 2015 21:12:19 +0000 (-0500) Subject: (no commit message) X-Git-Url: http://git.openafs.org/?p=openafs-wiki.git;a=commitdiff_plain;h=bee0503834d1d06beda0fb4da8a99add2ab6eb81;hp=0b75d3132a66f509397f2479d8b09fe13e9ad38c --- diff --git a/InstallingOpenAFSinLXC.mdwn b/InstallingOpenAFSinLXC.mdwn index 7d294f2..ab760b5 100644 --- a/InstallingOpenAFSinLXC.mdwn +++ b/InstallingOpenAFSinLXC.mdwn @@ -31,7 +31,7 @@ We now need a configuration file for the LXC container. Place the following at lxc.utsname = lxcafs lxc.rootfs = /home/lxc-afs - lxc.cap.keep = none + lxc.cap.keep = chown dac_override dac_read_search fowner lxc.network.type = none lxc.pts = 16 lxc.id_map = u 0 524288 32767 @@ -45,6 +45,10 @@ We now need a configuration file for the LXC container. Place the following at lxc.mount.entry=/sbin sbin none ro,bind 0 0 lxc.mount.entry=tmpfs /dev/shm tmpfs defaults 0 0 +If you are not intending to run the file server inside the container, you may replace the capability grants with + + lxc.cap.keep = none + It's easiest to bring up a shell prompt within the container and run the remainder of the setup there. On the host, run `lxc-execute -n afs-maint -f /home/lxc-afs.conf -- bash`. This command can be rerun whenever you need a shell "next to" the AFS servers. At that prompt, you'll want to populate common files, like `/etc/hosts`, `/etc/krb5.conf`, the contents of `/etc/openafs/server`, and `/usr/var/openafs/NetInfo`, as you would any other AFS server. Be sure to land a `/etc/openafs/server/rxkad.keytab` file. If you watch, you'll note that while this shell believes these files are owned by root, the host filesystem has them owned by `524288`. The host `ps`, likewise, will show your shell running as `524288`. (Note that ownership of files owned by users outside the container's range will get mapped to `nobody`, and mode bits may be squashed. If files in `/home/lxc-afs` are actually owned by host `root`, for example, they may be unreadable within the container! This may lead to all kinds of interesting problems, so if things seem to be going wrong, check that first.)