Kernel Newbies archive on lore.kernel.org
 help / color / Atom feed
From: Jeffrey Walton <noloader@gmail.com>
To: kernelnewbies <kernelnewbies@kernelnewbies.org>
Subject: Re: Alternate method of running swapon?
Date: Wed, 8 Jan 2020 17:23:54 -0500
Message-ID: <CAH8yC8kPb-yXkZ89xktfu67PmTB3JRCF2QY7u1DwtKXM=tHTHA@mail.gmail.com> (raw)
In-Reply-To: <7f477e10-8e55-fd1b-bc89-5399ba90395f@petrovitsch.priv.at>

On Wed, Jan 8, 2020 at 1:26 PM Bernd Petrovitsch
<bernd@petrovitsch.priv.at> wrote:
>
> Hi all!
>
> On 08/01/2020 19:09, Jeffrey Walton wrote:
> [...]
> > I work with an open source project. We have a VM but it is low-end.
> > The machine suffers OOM kills. We don't have access to /etc/fstab.
>
> Apparently you run too many (or too fat) programs;-)
>
> > Everything is an upsell with the VPS provider.
> >
> > I'm trying to setup a swapfile during startup using Systemd but:
> >
> >     # swapon /swapfile
> >     swapon: /swapfile: swapon failed: Operation not permitted
> >
> > This may be useful:
> [... nope ....]
>
> > My question is, is there a way to sidestep the restriction? Is it
> > possible to ask the kernel to use the swapfile without using the
> > command?
>
> The swapon (and swapoff) command basically calls the swapon()
> syscall (and swapoff() syscall, respectively) and their manual
> page say the caller needs CAP_SYS_ADMIN capability which usually
> means being "root".
>
> Does it work in a root-shell?

No, it does not work in a root shell.

The output is capsh is below. The man page for capsh(1) does not tell
me how to interpret it. Does cap_sys_admin under "current" mean I have
it? Or does lack of cap_sys_admin in "bounding" mean I lack it?

Jeff

# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

  reply index

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-08 18:09 Jeffrey Walton
2020-01-08 18:23 ` Valentin Vidić
2020-01-08 18:33   ` Jeffrey Walton
2020-01-08 18:42     ` Valentin Vidić
2020-01-08 20:08       ` Jeffrey Walton
2020-01-08 20:28         ` Valentin Vidić
2020-01-08 18:26 ` Bernd Petrovitsch
2020-01-08 22:23   ` Jeffrey Walton [this message]
2020-01-08 18:31 ` Greg KH

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAH8yC8kPb-yXkZ89xktfu67PmTB3JRCF2QY7u1DwtKXM=tHTHA@mail.gmail.com' \
    --to=noloader@gmail.com \
    --cc=kernelnewbies@kernelnewbies.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Kernel Newbies archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/kernelnewbies/0 kernelnewbies/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 kernelnewbies kernelnewbies/ https://lore.kernel.org/kernelnewbies \
		kernelnewbies@kernelnewbies.org
	public-inbox-index kernelnewbies

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernelnewbies.kernelnewbies


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git