[lxc-devel] [critical] "Default" configuration may destroy host system
Daniel Lezcano
daniel.lezcano at free.fr
Tue Nov 24 21:28:24 UTC 2009
Andrian Nord wrote:
> If you're running (by mistake or typo) (via lxc-start) container that does not
> exists it will run with lxc.rootfs=/, meaning that /sbin/init will
> restart initialization procedure, efficiently messing host's system,
> that may lead to unpredictable results or even destroy (make inaccessible) host
> system (by reseting network configuration or something like that).
>
> (Actually, it _did_ destroy system of everyone who tested this).
>
bad :)
If the lxc-start was able to exec the /sbin/init and this one has enough
privilege to setup the network, that means it has been run as root. This
is an example of a bad usage of the command, like root does "rm -rf
/usr" for example.
But in the other hand, lxc-start -n foo, runs /sbin/init implicitly, so
I am hesitating to say "root should know what it does".
> Actually, I finally lost any meaning of having such a feature for
> full-system containers. You may not use hosts's FS - it's described at
> above. You may not use some temporary directory - that's nonsense.
>
> This patch forbinds starting container via lxc-start without rcfile and
> custom start program, but probably it fixes only small part of problem.
>
Yeah, maybe it would be preferable to move the "rcfile" parsing from the
lxc_start function to the caller and pass the "struct lxc_conf" to
lxc_start. So we have the lxc_conf structure in lxc_start and we can do
all the sanity check before calling lxc_start, no ?
> I really don't see much sense in such a feature without ability of
> overriding 'default' setting with command line switches.
I am not sure to understand what you mean by overriding 'default setting
with command line switches'.
Can you elaborate a bit with an example ?
> Anyway, default
> behaviour should be as save as possible.
>
> Signed-off-by: Andrian Nord <NightNord at gmail.com>
>
> diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
> index cf87abf..b8a8ec6 100644
> --- a/src/lxc/lxc_start.c
> +++ b/src/lxc/lxc_start.c
> @@ -161,6 +161,11 @@ int main(int argc, char *argv[])
> }
> }
>
> + if (!rcfile && !my_args.argc) {
> + ERROR("no configuration file for full-system container");
> + return err;
> + }
> +
> if (my_args.daemonize) {
>
> /* do not chdir as we want to open the log file,
>
Do you mind if I move the rcfile parsing before calling lxc_start and
then we discuss about the sanity checks in lxc_start ?
Thanks for pointing this problem, I feel 0.6.4 will have a very short
life period :)
More information about the lxc-devel
mailing list