[lxc-devel] [critical] "Default" configuration may destroy host system

Andrian Nord nightnord at gmail.com
Tue Nov 24 18:24:08 UTC 2009


If you're running (by mistake or typo) (via lxc-start) container that does not
exists it will run with lxc.rootfs=/, meaning that /sbin/init will
restart initialization procedure, efficiently messing host's system,
that may lead to unpredictable results or even destroy (make inaccessible) host
system (by reseting network configuration or something like that).

(Actually, it _did_ destroy system of everyone who tested this).

Actually, I finally lost any meaning of having such a feature for
full-system containers. You may not use hosts's FS - it's described at
above. You may not use some temporary directory - that's nonsense.

This patch forbinds starting container via lxc-start without rcfile and
custom start program, but probably it fixes only small part of problem.
I really don't see much sense in such a feature without ability of
overriding 'default' setting with command line switches. Anyway, default
behaviour should be as save as possible.

Signed-off-by: Andrian Nord <NightNord at gmail.com>

diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index cf87abf..b8a8ec6 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -161,6 +161,11 @@ int main(int argc, char *argv[])
 		}
 	}
 
+	if (!rcfile && !my_args.argc) {
+		ERROR("no configuration file for full-system container");
+		return err;
+	}
+
 	if (my_args.daemonize) {
 
                 /* do not chdir as we want to open the log file,




More information about the lxc-devel mailing list