[libvirt] IPv6 in Libvirt LXC
Daniel P. Berrange
berrange at redhat.com
Mon Jun 2 16:22:21 UTC 2014
On Mon, Jun 02, 2014 at 03:09:08PM +0000, Thomas Maddox wrote:
> Hey all,
>
> According to a discussion last week in the Nova-Libvirt subgroup meeting,
> it was advised, by danpb, that I bring this issue up on the Libvirt mailing
> list for discussion and resolution. So, here goes -
>
> I'm currently using config drive from Nova to generate network configurations
> for LXC guests that are spun up via Libvirt. Unfortunately, when doing some
> IPv6 testing, I ran into a snag (with a couple work arounds detailed below).
> Due to the read-only mount of /proc/sys (http://libvirt.org/drvlxc.html#fsmounts),
> I am unable to get expected behavior from IPv6 static network configurations.
> I did some poking around and found this bug from a couple years ago that pretty
> well outlines the problem:
>
> https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/964882.
>
> I wasn't sure how we might go about correcting this, but it seems like something
> we'll need to address in Libvirt. Maybe with the user namespaces working, we can
> begin to provide some read/write mounts instead of read-only with clear
> documentation on the security implications? =] When using static IPv6 addressing
> it was attempting the following command: 'sysctl -q -e -w net.ipv6.conf.eth0.autoconf=0'.
> I tested to see whether the host and the guest share this value. I was able to
> change it in the host without it being reflected in the guest.
That sounds promising. I guess we need to check whether that isolation applies
to every tunable underneath net.* or just the tunables that are tied to specific
network interfaces. eg net.*.eth0.* Hopefully it would be the former, but I'm
afraid it could well be the latter....
> The work arounds I've tried that seemed to allow IPv6 to get configured properly:
>
> 1. Use the post-up hook on an IPv4 static configuration to configure IPv6 via
> ifconfig/routes (example: http://paste.openstack.org/show/82446/).
> 2. Patch Libvirt to include a /proc/sys/net mount as read/write.
This would be reasonable todo, assuming the entire subtree of
/proc/sys/net was actually isolated from the host by the network
namespace.
The remounting of /proc/sys readonly is a psuedo-security measure. In the
absence of user namespaces it does not actually protect against a malicious
user with root in the container, since they can just re-mount it read-write
again. So when user namespaces are *not* active, we could easily just make
/proc/sys/net (or even the entire of /proc/sys) read-write, without lowering
the real security protection.
When user namesplaces *are* active, the remapping of UID/GID==0 to a
non-0 value will prevent the root user in the container from changing
anything in /proc/sys even if we have it entirely read-write. So merely
changing /proc/sys/net to read-write won't fix your problem when user
namespaces are active.
IIUC, we'd need to recursively chown the files under /proc/sys/net to
give them the remapped UID/GID of the root user in the container, in
order that they can be used.
So overall I think we'd have to do
- Make either /proc/sys/net or /proc/sys read-write
- If userns is active, recursive chown /proc/sys/net (or a subset of
files in it that we explicitly want to grant access to)
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list