Alternate method of running swapon?

Jeffrey Walton noloader at gmail.com
Wed Jan 8 17:23:54 EST 2020 

On Wed, Jan 8, 2020 at 1:26 PM Bernd Petrovitsch
<bernd at petrovitsch.priv.at> wrote:
>
> Hi all!
>
> On 08/01/2020 19:09, Jeffrey Walton wrote:
> [...]
> > I work with an open source project. We have a VM but it is low-end.
> > The machine suffers OOM kills. We don't have access to /etc/fstab.
>
> Apparently you run too many (or too fat) programs;-)
>
> > Everything is an upsell with the VPS provider.
> >
> > I'm trying to setup a swapfile during startup using Systemd but:
> >
> >     # swapon /swapfile
> >     swapon: /swapfile: swapon failed: Operation not permitted
> >
> > This may be useful:
> [... nope ....]
>
> > My question is, is there a way to sidestep the restriction? Is it
> > possible to ask the kernel to use the swapfile without using the
> > command?
>
> The swapon (and swapoff) command basically calls the swapon()
> syscall (and swapoff() syscall, respectively) and their manual
> page say the caller needs CAP_SYS_ADMIN capability which usually
> means being "root".
>
> Does it work in a root-shell?

No, it does not work in a root shell.

The output is capsh is below. The man page for capsh(1) does not tell
me how to interpret it. Does cap_sys_admin under "current" mean I have
it? Or does lack of cap_sys_admin in "bounding" mean I lack it?

Jeff

# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)

More information about the Kernelnewbies mailing list