[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] understanding --idmap for containers (v2.5.0)



On Thu, Apr 20, 2017 at 08:26:11AM +0000, mailing lists wrote:
> Hello,
> I'm testing containers on a host machine without selinux so I'm trying use the idmap feature, but I must be missing something because all that I get is a readonly container for the root user.
> 
> # virsh version --daemon
> Compiled against library: libvirt 2.5.0
> Using library: libvirt 2.5.0
> Using API: QEMU 2.5.0
> Running hypervisor: QEMU 2.8.1
> Running against daemon: 2.5.0
> 
> # virsh --connect lxc:/// dumpxml lab-gentoo-01
> <domain type='lxc'>
>   <name>lab-gentoo-01</name>
>   <uuid>a9f73091-b716-4b61-95ad-fa1d0c061bef</uuid>
>   <memory unit='KiB'>524288</memory>
>   <currentMemory unit='KiB'>524288</currentMemory>
>   <vcpu placement='static'>2</vcpu>
>   <resource>
>     <partition>/machine</partition>
>   </resource>
>   <os>
>     <type arch='x86_64'>exe</type>
>     <init>/bin/sh</init>
>   </os>
>   <idmap>
>     <uid start='0' target='900' count='10'/>
>     <gid start='0' target='900' count='10'/>

Ok, so UID 0 in the container is being mapped to UID 900 in the
host.


>     <filesystem type='mount' accessmode='passthrough'>
>       <source dir='/media/containers/lab-gentoo-01/'/>
>       <target dir='/'/>
>     </filesystem>


> # ls -l /media/containers/lab-gentoo-01/
> total 36
> drwxr-xr-x  2 root root 4096 Apr 13 07:33 bin
> drwxr-xr-x  2 root root   18 Apr 13 03:28 boot
> drwxr-xr-x  7 root root 4096 Apr 18 12:45 dev
> drwxr-xr-x 31 root root 4096 Apr 18 12:49 etc
> drwxr-xr-x  2 root root   18 Apr 13 03:28 home
> lrwxrwxrwx  1 root root    5 Apr 13 06:13 lib -> lib64
> drwxr-xr-x  2 root root 4096 Apr 13 06:14 lib32
> drwxr-xr-x  9 root root 4096 Apr 13 07:33 lib64
> drwxr-xr-x  2 root root   18 Apr 13 03:28 media
> drwxr-xr-x  2 root root   18 Apr 13 03:28 mnt
> drwxr-xr-x  2 root root   18 Apr 13 03:28 opt
> drwxr-xr-x  2 root root    6 Apr 13 03:18 proc
> drwx------  2 root root   18 Apr 13 03:28 root
> drwxr-xr-x  2 root root   31 Apr 13 07:32 run
> drwxr-xr-x  2 root root 4096 Apr 13 07:36 sbin
> drwxr-xr-x  2 root root   18 Apr 13 03:28 sys
> drwxrwxrwt  2 root root   18 Apr 13 07:36 tmp
> drwxr-xr-x 13 root root 4096 Apr 18 12:49 usr
> drwxr-xr-x  9 root root  102 Apr 13 03:28 var

THis is showing that the container's root filesystem is owned by
UID 0 in the *host*.

> # virsh --connect lxc:/// start --console lab-gentoo-01
> Domain lab-gentoo-01 started
> Connected to domain lab-gentoo-01
> Escape character is ^]
> sh-4.3# /usr/bin/id
> uid=0(root) gid=0(root) groups=0(root)
> sh-4.3# pwd
> /
> sh-4.3# touch asdf
> touch: cannot touch 'asdf': Permission denied

This is expected, because UID 0 in container is remapped to
uid 900 in host, and is thus denied ability to write to
a directory owned by uid 0 in the host

> indeed the container is using the idmap feature because the
> efective uid/gid map (900/900) is not allowing writes in the
> filesystem, but it doesn't seems very usefull.
> 
> is it possible to have read/write containers while using idmap?

You need to change the UIDs in your container's filesystem to be
offset by 900


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]