[libvirt-users] [libvirt] LXC, user namespaces and systemd

Stephan Sachse ste.sachse at gmail.com
Thu Feb 27 15:32:09 UTC 2014


On Thu, Feb 27, 2014 at 3:07 PM, Dariusz Michaluk
<d.michaluk at samsung.com> wrote:
> On 26.02.2014 17:59, Stephan Sachse wrote:
>>>
>>> # chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer
>>
>> you must "shift" the uids for the container  0 -> 666, 1 -> 667, 2 ->
>> 668. there is a tool for this: uidmapshift
>
> I prepared two containers, the first I used chown, in the second
> uidmapshift, here is the results.
>
> ./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer
> UIDs 666 - 666
> GIDs 1001 - 2000
>
> foo      28919 28917  0 14:42 ?        00:00:00 /sbin/init
> 747      28950 28919  0 14:42 ?        00:00:00 /bin/dbus-daemon
>
> ./uidmapshift -r /var/lib/libvirt/filesystems/test
> UIDs 888 - 1776
> GIDs 1002 - 2001
>
> foo1     29298 29296  0 14:45 ?        00:00:00 /sbin/init
> 969      29329 29298  0 14:45 ?        00:00:00 /bin/dbus-daemon
>
> As you can see root is mapped to foo or foo1 user and dbus user is mapped to
> 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) + uid=888(foo1)).
> Mapping looks properly. Why use uidmapshift ?, it still performs chown.
> Could you explain more?

# ls -ln uidmapshift-test/
-rw-r--r-- 1  0  0 0 27. Feb 15:50 uid0
-rw-r--r-- 1 81 81 0 27. Feb 15:50 uid81

# /root/uidmapshift -b uidmapshift-test/ 0 100000 1000
# ls -ln uidmapshift-test/
-rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid0
-rw-r--r-- 1 100081 100081 0 27. Feb 15:50 uid81

correctly mapped 0 to 100000 with a range of 1000

# chown 100000.100000 uidmapshift-test/ -R
# ls -ln uidmapshift-test/
-rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid0
-rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid81

wrong mapping for file uid81

look at the ls -l output from inside the container! btw:
/bin/dbus-daemon is root.root on my system (fedora20)

# rpm -qlv dbus | grep 'bin/dbus-daemon'
-rwxr-xr-x    1 root    root                   445104 Dez 26 10:26
/bin/dbus-daemon

fedora20 inside the container (999=ssh_keys)

# ls -ln /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 0 999  227 18. Feb 12:56 /etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 0 999 1679 18. Feb 12:56 /etc/ssh/ssh_host_rsa_key

fedora20 outside the container

ls -l etc/ssh/ssh_host_rsa_key etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 100000 999  227 18. Feb 13:56 etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 100000 999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key

i have a mapping: 0 to 100000 range 1
if the range is 10000. it must looks like this from the outside

ls -l etc/ssh/ssh_host_rsa_key etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 100000 100999  227 18. Feb 13:56 etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 100000 100999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key

and as before from the inside

>> some tools may not work, because of the missing file capabilities.
>> chown removes all file capabilities! try ping as user inside the
>> container. (missing file cap cap_net_admin,cap_net_raw)
>
> # getcap /usr/bin/ping
> # ping localhost
> PING localhost (127.0.0.1) 56(84) bytes of data.
> 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms
> 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms
> ^C
> --- localhost ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms
>
> Yes you are right, chown removed capabilities, but ping still works
> properly.

try it as user and not as root

# su -s/bin/bash nobody -c 'ping localhost'
ping: icmp open socket: Operation not permitted

fix this from outside the container

chroot /path/to/rootfs

rpm --qf "[%{FILECAPS} %{FILENAMES}\n]" -qa | grep ^= | sed -e 's/^=/setcap/'

and paste the output into your terminal

/stephan

-- 
Software is like sex, it's better when it's free!




More information about the libvirt-users mailing list