[libvirt] [RFC PATCH 2/2] LXC: Create ro overlay mounts only if we're not within a user namespace

Richard Weinberger richard at nod.at
Mon Jul 1 06:29:14 UTC 2013 

Am 01.07.2013 04:26, schrieb Gao feng:
>> Well, given that we're at rc2 now & I'm still unclear about how some
>> aspects of the userns setup is working, I'm afraid we'll have to wait
>> until 1.1.1 for the userns LXC code to merge.  I'll aim todo it next
>> week, so that we have plenty of time for further testing before the
>> 1.1.1 release.
>>
> 
> Ok, I think Richard had tested the userns support.
> Hi Richard, can you give me your ack or tested-by?

I'm still facing one userns related issue.

Create a container like this one:
---cut---
<domain type='lxc'>
  <name>testi</name>
  <memory>102400</memory>
  <os>
    <type>exe</type>
    <init>/bin/bash</init>
  </os>
  <idmap>
        <uid start='0' target='100000' count='100000'/>
        <gid start='0' target='100000' count='100000'/>
  </idmap>
  <devices>
        <console type='pty'/>
        <filesystem type='mount'>
          <source dir='/some/where/rootfs'/>
          <target dir='/'/>
        </filesystem>
     <interface type='network'>
      <source network='default'/>
        <mac address="52:54:00:be:49:be"/>
    </interface>
  </devices>
</domain>
---cut---

After creating it attach to it's console, you'll find bash as pid 1.
And you'll find that /proc/1/ is not fully uid/gid-mapped:
---cut---
# ls -la /proc/1/
total 0
dr-xr-xr-x  8 root   root    0 Jul  1 06:06 .
dr-xr-xr-x 74 nobody nogroup 0 Jul  1 06:06 ..
dr-xr-xr-x  2 root   root    0 Jul  1 06:06 attr
-r--------  1 nobody nogroup 0 Jul  1 06:06 auxv
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 cgroup
--w-------  1 nobody nogroup 0 Jul  1 06:06 clear_refs
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 cmdline
-rw-r--r--  1 nobody nogroup 0 Jul  1 06:06 comm
-rw-r--r--  1 nobody nogroup 0 Jul  1 06:06 coredump_filter
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 cpuset
lrwxrwxrwx  1 nobody nogroup 0 Jul  1 06:06 cwd -> /
-r--------  1 nobody nogroup 0 Jul  1 06:06 environ
lrwxrwxrwx  1 nobody nogroup 0 Jul  1 06:06 exe -> /bin/bash
dr-x------  2 nobody nogroup 0 Jul  1 06:06 fd
dr-x------  2 nobody nogroup 0 Jul  1 06:06 fdinfo
-rw-r--r--  1 nobody nogroup 0 Jul  1 06:06 gid_map
-r--------  1 nobody nogroup 0 Jul  1 06:06 io
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 limits
-rw-r--r--  1 nobody nogroup 0 Jul  1 06:06 loginuid
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 maps
-rw-------  1 nobody nogroup 0 Jul  1 06:06 mem
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 mountinfo
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 mounts
-r--------  1 nobody nogroup 0 Jul  1 06:06 mountstats
dr-xr-xr-x 10 root   root    0 Jul  1 06:06 net
dr-x--x--x  2 nobody nogroup 0 Jul  1 06:06 ns
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 numa_maps
-rw-r--r--  1 nobody nogroup 0 Jul  1 06:06 oom_adj
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 oom_score
-rw-r--r--  1 nobody nogroup 0 Jul  1 06:06 oom_score_adj
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 pagemap
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 personality
-rw-r--r--  1 nobody nogroup 0 Jul  1 06:06 projid_map
lrwxrwxrwx  1 nobody nogroup 0 Jul  1 06:06 root -> /
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 schedstat
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 sessionid
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 smaps
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 stack
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 stat
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 statm
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 status
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 syscall
dr-xr-xr-x  3 root   root    0 Jul  1 06:06 task
-rw-r--r--  1 nobody nogroup 0 Jul  1 06:06 uid_map
-r--r--r--  1 nobody nogroup 0 Jul  1 06:06 wchan
---cut---

Systemd suffers from this issue because it needs to read from /proc/1/environ.
After one exec /proc seems to be fixed:

---cut---
# cat /proc/1/environ
cat: /proc/1/environ: Permission denied
# exec /bin/bash
# cat /proc/1/environ
TERM=linuxPATH=/bin:/sbinPWD=/container_uuid=fabc42f8-cdee-461c-9a21-93902ab52b40SHLVL=0LIBVIRT_LXC_UUID=fabc42f8-cdee-461c-9a21-93902ab52b40LIBVIRT_LXC_NAME=testicontainer=lxc-libvirt

---cut---

If I turn lxcContainerDropCapabilities() into a NOP the permissions in /proc are no longer clobbered.

Another (maybe related issue),
No capabilities seem to get dropped.
(Of course tested where lxcContainerDropCapabilities() is not a NOP :) )

---cut---
# /usr/bin/pscap -a
ppid  pid   name        command           capabilities
0     1     root        bash              full
---cut---

Any ideas what's going on here?

Thanks,
//richard

More information about the libvir-list mailing list