When I run command 'vserver myguest start' (from sys-cluster/util-vserver-0.30.212-r2, linked against dev-libs/dietlibc-0.30-r2), it doesn't work. Reproducible: Always Steps to Reproduce: 1. prepare vserver ready kernel and vserver-util as described in http://www.gentoo.org/proj/en/vps/vserver-howto.xml 2. create guest vserver named 'myguest' 3. execute 'vserver myguest start' command Actual Results: # vserver myguest start 'VERIFYCAP' can be executed as root only capabilities are not enabled in kernel-setup Failed to start vserver 'myguest' Expected Results: # vserver myguest start Gentoo/Linux 1.13.0_alpha12; http://www.gentoo.org/ Copyright 1999-2007 Gentoo Foundation; Distributed under the GPLv2 Press I to enter interactive boot mode * Using existing device nodes in /dev [ ok ] * root filesystem is mounted read-write - skipping * Checking all filesystems [ ok ] * Mounting local filesystems [ ok ] * Activating (possible) swap [ ok ] * Setting hostname to myguest [ ok ] * Updating environment [ ok ] * Cleaning /var/lock, /var/run [ ok ] * Cleaning /tmp directory [ ok ] * Initializing random number generator [ ok ] * Setting system clock using the hardware clock [VPS] [ ok ] * Starting syslog-ng [ ok ] * Starting vixie-cron [ ok ] * Starting local [ ok ] # emerge --info Portage 2.1.2.12 (hardened/x86/2.6, gcc-3.4.6, glibc-2.5-r4, 2.6.20-hardened-r6-vs2.2.0.3 i686) ================================================================= System uname: 2.6.20-hardened-r6-vs2.2.0.3 i686 Intel(R) Xeon(TM) CPU 2.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 11 Sep 2007 20:50:01 +0000 app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=i686 -O2 -pipe -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-mtune=i686 -O2 -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.mirror.web4u.cz/ http://gentoo.tiscali.nl/ http://gentoo.intergenia.de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amavis apache2 authdaemond authfile bash-completion berkdb bzip2 chroot clamav clamd cli colordiff cracklib crypt doc fbcon filter gd gdbm gif hardened hpn iconv imap innodb jpeg jpeg2k libclamav libwww logrotate maildir midi mysql mysqli ncurses network-cron nls nptl nptlonly pam pam_chroot pam_console pam_timestamp pcre pdf perl php pic png profile python readline sasl sftp sftplogging spamassassin spell spl ssl syslog tcpd threads unicode unsupported_8bit urandom vhosts workbench x86 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS According to howto and uncle Google I've checked that my kernel config contains: CONFIG_SECURITY_CAPABILITIES=y and I run the mentioned command as root. Using the source I discovered the message comes from src/vserver-info.c (from vserver-util, see below): ... if (getuid()!=0) { WRITE_MSG(2, "'VERIFYCAP' can be executed as root only\n"); return false; } ... It seems like getuid() from dev-libs/dietlibc-0.30-r2 doesn't work properly as it should return 0 when I'm root. I've confirmed it with simple program getuid.c: #include <stdio.h> int main() { printf("getuid:%d, getuid32:%d\n", getuid(), getuid32()); return 0; } linked against dietlibc using 'diet gcc getuid.c -o getuid' it returns: server ~ # ./getuid getuid:-1, getuid32:0 server ~ # su jirik jirik@server /root $ ./getuid getuid:-1, getuid32:1000 I see several possible solutions: 1) change sys-cluster/util-vserver ebuild in order util-vserver is not linked against dietlibc (probably depending on dietlibc USE flag or something like that) as getuid() from glibc works fine (but it is not recomended for util-vserver, I know) 2) fix dietlibc to handle getuid() correctly. 3) fix util-vserver not to use broken getuid() from dietlibc, but getuid32() which seems to be working (but it will probably break compatibility with glibc, as I didn't find getuid32() in glibc.
can you please try if it works with dietlibc-0.31_pre20070612 and reopen if not