[lxc-devel] bugs with LXC container : mount and rmmod command

Michael H. Warfield mhw at WittsEnd.com
Thu Mar 4 17:19:37 UTC 2010 

Oh ho!

I've seen this problem on my system, I just hadn't been able to figure
out what was causing it.  Yeah, the partition those containers run on
strangely ends up mounted ro with no errors in the log file (I was
thinking maybe some strange drive errors were causing it).  I wasn't
doing any overt umounts and certainly no rmmods, though.  Maybe
something related as I was experimenting and had some containers "crash"
on me.  Haven't seen it since I stabilized that particular server.

Interesting.

Mike

On Thu, 2010-03-04 at 17:05 +0100, Elias Olivares wrote: 
> Hi !
> 
> I've tried to reproduce this bug on 0.6.5 lxc release and the same bug
> appears when i run the umount command or rmmod command.
> 
> To reproduce the bug :
> 
> Host name : debian 
> Guest container name : container 
> 
> You MUST create a dedicated partition to share your containers (an
> other partition than " / ") 
> 
> debian:# df 
> 
>  /dev/hda1 7850996 2058732 5393452 28% / 
>  tmpfs 253768 0 253768 0% /lib/init/rw 
>  udev 10240 108 10132 2% /dev 
>  tmpfs 253768 0 253768 0% /dev/shm 
>  /dev/hdb1 4127076 552552 3364880 15% /mnt/vmr1  
> 
> Then enter into the container (lxc-console -n container) and stop
> cron, syslog, bind 9,ssh processes. 
> 
> container:~# ps aux 
>  
>  USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 
>  root 1 0.0 0.1 1984 692 ? Ss 11:10 0:00 init [2] 
>  root 387 0.0 0.4 5884 2272 console Ss 11:10 0:00 /bin/login -- 
>  root 388 0.0 0.1 1992 572 tty1 Ss+ 11:10 0:00 /sbin/getty 38400 tty1 
>  root 389 0.0 0.1 1992 568 tty2 Ss+ 11:10 0:00 /sbin/getty 38400 tty2 
>  root 390 0.0 0.1 1992 568 tty3 Ss+ 11:10 0:00 /sbin/getty 38400 tty3 
>  root 392 0.0 0.5 4132 2680 console S 11:11 0:00 -bash 
>  root 584 0.0 0.1 2644 956 console R+ 11:43 0:00 ps aux 
>  
>  Then use the mount command : 
>  
>  container:~# mount -o remount,ro / 
>  
> Return to the Host and try to create a file in /mnt/vmr1/ . The folder
> is set in "read only". 
> 
> The second bug :
> 
> Install ntfs module in the host : (exemple with ntfs module)
> 
> debian:# modprobe ntfs
> 
> Enter into the container and delete ntfs module 
> 
> container:~# rmmod  ntfs
> 
> Return to the host : the module has been removed
> 
> 
> 
> Does anyone have solved this problem ?
> 
> I think it is a major security problem.
> 
> 
> ----- Mail Original -----
> De: "Daniel Lezcano" <daniel.lezcano at free.fr>
> À: "Elias Olivares" <eolivares at 1g6.biz>
> Cc: lxc-devel at lists.sourceforge.net
> Envoyé: Vendredi 8 Janvier 2010 13:14:36
> Objet: Re: [lxc-devel] bugs with LXC container : mount and rmmod
> command
> 
> Elias Olivares wrote:
> > 
> > 
> > Hi ! 
> > 
> > I've found the way to reproduce the bug. 
> > 
> > Host name : debian 
> > Guest container name : container 
> > 
> > You MUST create a dedicated partition to share your containers (an
> other partition than " / ") 
> 
> Thanks, I will check when I have time.
> 
> 
> 
> > Here the container is created in /mnt/vmr1/ : 
> > 
> > debian:# df 
> > 
> > /dev/hda1 7850996 2058732 5393452 28% / 
> > tmpfs 253768 0 253768 0% /lib/init/rw 
> > udev 10240 108 10132 2% /dev 
> > tmpfs 253768 0 253768 0% /dev/shm 
> > /dev/hdb1 4127076 552552 3364880 15% /mnt/vmr1 
> > 
> > Then enter into the container (lxc-console -n container) and stop
> cron, syslog, bind 9,ssh processes. 
> > 
> > container:~# ps aux 
> > 
> > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 
> > root 1 0.0 0.1 1984 692 ? Ss 11:10 0:00 init [2] 
> > root 387 0.0 0.4 5884 2272 console Ss 11:10 0:00 /bin/login -- 
> > root 388 0.0 0.1 1992 572 tty1 Ss+ 11:10 0:00 /sbin/getty 38400
> tty1 
> > root 389 0.0 0.1 1992 568 tty2 Ss+ 11:10 0:00 /sbin/getty 38400
> tty2 
> > root 390 0.0 0.1 1992 568 tty3 Ss+ 11:10 0:00 /sbin/getty 38400
> tty3 
> > root 392 0.0 0.5 4132 2680 console S 11:11 0:00 -bash 
> > root 584 0.0 0.1 2644 956 console R+ 11:43 0:00 ps aux 
> > 
> > Then use the mount command : 
> > 
> > container:~# mount -o remount,ro / 
> > 
> > Return to the Host and try to create a file in /mnt/vmr1/ . The
> folder is set in "read only". 
> > 
> > I tried with the 0.6.4 version and I have the same problem. 
> > 
> > 
> > Elias Olivares 
> > 
> > 
> > ----- Mail Original ----- 
> > De: "Elias Olivares" <eolivares at 1g6.biz> 
> > À: "Daniel Lezcano" <daniel.lezcano at free.fr> 
> > Cc: lxc-devel at lists.sourceforge.net 
> > Envoyé: Mercredi 6 Janvier 2010 16:05:58 
> > Objet: Re: [lxc-devel] bugs with LXC container : mount and rmmod
> command 
> > 
> > 
> > Ok thanks for this advice. I can't try now but I will try
> tommorow ... 
> > 
> > Elias 
> > 
> > 
> > ----- Mail Original ----- 
> > De: "Daniel Lezcano" <daniel.lezcano at free.fr> 
> > À: "Elias Olivares" <eolivares at 1g6.biz> 
> > Cc: lxc-devel at lists.sourceforge.net 
> > Envoyé: Mercredi 6 Janvier 2010 13:03:59 
> > Objet: Re: [lxc-devel] bugs with LXC container : mount and rmmod
> command 
> > 
> > Elias Olivares wrote: 
> >> Hi 
> >>
> >>
> >> My Lxc configuration file : ( /var/lib/lxc/xxx.1g6.biz /config ) 
> >>
> >> lxc.utsname = xxx.1g6.biz 
> >> lxc.tty = 4 
> >> lxc.pts = 1024 
> >> lxc.network.type = veth 
> >> lxc.network.flags = up 
> >> lxc.network.link = br0 
> >> lxc.network.name = eth0 
> >> lxc.network.mtu = 1500 
> >> #lxc.mount = 
> >> lxc.rootfs = /mnt/vmr1/xxx.1g6.biz 
> >> lxc.cgroup.devices.deny = a 
> >> # /dev/null and zero 
> >> lxc.cgroup.devices.allow = c 1:3 rwm 
> >> lxc.cgroup.devices.allow = c 1:5 rwm 
> >> # consoles 
> >> lxc.cgroup.devices.allow = c 5:1 rwm 
> >> lxc.cgroup.devices.allow = c 5:0 rwm 
> >> lxc.cgroup.devices.allow = c 4:0 rwm 
> >> lxc.cgroup.devices.allow = c 4:1 rwm 
> >> # /dev/{,u}random 
> >> lxc.cgroup.devices.allow = c 1:9 rwm 
> >> lxc.cgroup.devices.allow = c 1:8 rwm 
> >> lxc.cgroup.devices.allow = c 136:* rwm 
> >> lxc.cgroup.devices.allow = c 5:2 rwm 
> >> # rtc 
> >> lxc.cgroup.devices.allow = c 254:0 rwm 
> >>
> >> # lxc-version 
> >> lxc version: 0.6.3 
> > 
> > There were some modifications with how the rootfs is mounted. 
> > 
> > Can you check against the 0.6.4 version ? 
> > 
> > wget http://lxc.sourceforge.net/download/lxc/lxc-0.6.4.tar.gz 
> > tar xvzf lxc-0.6.4.tar.gz 
> > cd lxc-0.6.4 
> > ./configure --localstate=/var --prefix=/usr --libdir=/usr/lib64 (if
> you 
> > are on a x86_64 arch). 
> > make && sudo make install 
> > 
> > Or may be you can try with the latest git repository: 
> > 
> > git-clone git://lxc.git.sourceforge.net/gitroot/lxc/lxc 
> > cd lxc 
> > ./autogen.sh 
> > ./configure --localstate=/var --prefix=/usr --libdir=/usr/lib64 (if
> you 
> > are on a x86_64 arch). 
> > make && sudo make install 
> > 
> >
> ------------------------------------------------------------------------------ 
> > This SF.Net email is sponsored by the Verizon Developer Community 
> > Take advantage of Verizon's best-in-class app development support 
> > A streamlined, 14 day to market process makes app distribution fast
> and easy 
> > Join now and get one step closer to millions of Verizon customers 
> > http://p.sf.net/sfu/verizon-dev2dev 
> > _______________________________________________ 
> > Lxc-devel mailing list 
> > Lxc-devel at lists.sourceforge.net 
> > https://lists.sourceforge.net/lists/listinfo/lxc-devel 
> > 
> > 
> > 
> >
> ------------------------------------------------------------------------
> > 
> >
> ------------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Verizon Developer Community
> > Take advantage of Verizon's best-in-class app development support
> > A streamlined, 14 day to market process makes app distribution fast
> and easy
> > Join now and get one step closer to millions of Verizon customers
> > http://p.sf.net/sfu/verizon-dev2dev 
> > 
> > 
> >
> ------------------------------------------------------------------------
> > 
> > _______________________________________________
> > Lxc-devel mailing list
> > Lxc-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-devel
> 
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________ Lxc-devel mailing list Lxc-devel at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20100304/64a60039/attachment.pgp>

More information about the lxc-devel mailing list