[lxc-devel] Howto user namespaces?

Eric W. Biederman ebiederm at xmission.com
Thu Apr 11 15:59:56 UTC 2013 

richard -rw- weinberger <richard.weinberger at gmail.com> writes:

> On Thu, Apr 11, 2013 at 5:03 PM, Eric W. Biederman
> <ebiederm at xmission.com> wrote:
>> richard -rw- weinberger <richard.weinberger at gmail.com> writes:
>>
>>> On Thu, Apr 11, 2013 at 7:03 AM, Eric W. Biederman
>>> <ebiederm at xmission.com> wrote:
>>>> richard -rw- weinberger <richard.weinberger at gmail.com> writes:
>>>>> {st_mode=S_IFCHR|0644, st_rdev=makedev(5, 1), ...}) = 0
>>>>> [pid  3100] chmod("/dev/pts/5", 020644) = -1 EPERM (Operation not permitted)
>>>>
>>>> I am puzzled why we don't see something to create /dev/pts/5 in this trace.
>>>
>>> I have also no idea.
>>> Please see both attached strace logs (linux v3.9-rc6, lxc 0.9.0).
>>> One with lxc.autodev = 0, the other with = 1.
>>
>> I have read through and I can see why you are failing.
>> With autodev you are failing with mknod /dev/null.
>> Without autodev you are creating pts (I assume to represent /dev/ttyN)
>> before creating the user namespace and then there is a permission
>> problem with chmod.
>>
>> Both of which seem like correct behavior from the kernels standpoint.
>>
>>> My lxc config:
>>> ----
>>> lxc.network.type = empty
>>> lxc.rootfs = /var/lib/lxc/test2/rootfs
>>> lxc.utsname = test2
>>> lxc.autodev = 0
>>> lxc.tty = 4
>>
>> Let me suggest setting lxc.tty = 0. So you don't get tty creation
>> and see how far that goes.
>
> Both lxc.tty = 0 and lxc.pts = 0 trigger the same error.
> lxc-start: Operation not permitted - failed to set mode '020644' to '/dev/pts/1'
>
> To me it looks like lxc is trying to chmod /dev/pts/1 outside of the container.

>From /dev/pts/5 to /dev/pts/1.  My guess is this is the /dev/console
emulation.

I will leave this to the lxc userspace folks to figure out the rest.

Given that it is chmod failing in the first process in the user
namespace that is failing.  I strongly suspect that /dev/pts/1
is owned by the uid that created the container and that uid is
not mapped into the user namespace.

The fix would be for the process that starts the container to
chown those files to the uid of root in the container.

Since you were having to do something special to setup the uid mapping
it would not surprise if you have hit an overlooked corner case
in the lxc user namespace code base.

Eric

More information about the lxc-devel mailing list