commit 6c4f1105314c7d3a93560f821af169058ca9f012
parent 800fcc11a5f864a0b56852652e7a32cbfab3cd49
Author: Hiltjo Posthuma <hiltjo@codemadness.org>
Date: Tue, 8 Jul 2014 11:37:25 +0000
README: add more setup information
- kernel configuration.
- capchroot capabilities.
Signed-off-by: Christoph Lohmann <20h@r-36.net>
Diffstat:
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
@@ -50,15 +50,29 @@ Here are the links to install capchroot. For now this isn't automated.
https://dev.archlinux.org/~thomas/capchroot/
http://bedrocklinux.org/1.0alpha1/install.html#DOWNLOAD%20Capchroot
-After you have a capchroot(1) binary, copy it to your PATH. Then create the
-/etc/capchroot.allow file to define users which are allowed to run capchroot
-and where. On my setup there is a »ns« group, which members are allowed to
-chroot to the defined namespaces.
+After you have a capchroot(1) binary, copy it to your PATH. Set cap_sys_chroot
+by running:
+
+ setcap cap_sys_chroot=ep /bin/capchroot
+
+Then create the /etc/capchroot.allow file to define users which are allowed to
+run capchroot and where. On my setup there is a »ns« group, which members
+are allowed to chroot to the defined namespaces.
cat /etc/capchroot.allow
/ns/debian @ns
...
+### Kernel configuration
+
+Depending on the filesystem you use make sure the following options are
+enabled in the kernel (for example for ext4):
+
+These are defined in the kernel .config as:
+Ext4 security labels - EXT4_FS_SECURITY=y
+Ext4 extended attributes - EXT4_FS_XATTR=y (deprecated, this is now enabled
+by default for ext4).
+
## Issues in the concept
* Unchroot is not yet implemented, so a complete linking in of X11 is not
possible.
