[lxc-devel] Howto user namespaces?

Serge Hallyn serge.hallyn at ubuntu.com
Wed Apr 10 18:55:24 UTC 2013 

Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> On Tue, Apr 9, 2013 at 11:33 PM, richard -rw- weinberger
> <richard.weinberger at gmail.com> wrote:
> > On Tue, Apr 9, 2013 at 11:07 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> >>> On Tue, Apr 9, 2013 at 3:19 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >>> > Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> >>> >> On Tue, Apr 9, 2013 at 9:58 AM, richard -rw- weinberger
> >>> >> <richard.weinberger at gmail.com> wrote:
> >>> >> > On Tue, Apr 9, 2013 at 5:28 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >>> >> >> Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> >>> >> >>> Am I missing something obvious?
> >>> >> >>
> >>> >> >> lxc-create does not yet convert the rootfs to the mapped uids, so you
> >>> >> >> need to do that manually using uidmapshift.  Check the
> >>> >> >> container-userns-convert script at
> >>> >> >> https://code.launchpad.net/~serge-hallyn/+junk/nsexec or in the nsexec
> >>> >> >> package at ppa:serge-hallyn/userns-natty.
> >>> >> >
> >>> >> > Hmm, I've fixed the uids already by hand.
> >>> >> > Today I've created a new container and used container-userns-convert
> >>> >> > but with the same results.
> >>> >> >
> >>> >> > What I find very strange is that your script does:
> >>> >> > lxc.id_map = U ${uid} 0 $range
> >>> >> > lxc.id_map = G ${uid} 0 $range
> >>> >> > uid is 100000, range is 10000.
> >>> >> >
> >>> >> > But the lxc docs say:
> >>> >> >               Four values must be provided.  First a character, either
> >>> >> >               'u', or 'g', to specify whether user or group ids are
> >>> >> >               being mapped.  Next is the first userid as seen in the
> >>> >> >               user namespace of the container.  Next is the userid as
> >>> >> >               seen on the host.  Finally, a range indicating the number
> >>> >> >               of consecutive ids to map.
> >>> >> >
> >>> >> > So, this would make more sense: lxc.id_map = u 0 100000 10000
> >>> >> >
> >>> >> > Anyways, mount of tmpfs fails with ENOPERM, is there any debugging
> >>> >> > mechanism to find out why it is failing?
> >>> >> > According to strace some bind mounts before the tmpfs work perfectly fine.
> >>> >>
> >>> >> BTW: I found out that tmpfs is not supported within user namespaces...
> >>> >
> >>> > It should be in 3.9:
> >>> >
> >>> >     userns: Allow the userns root to mount tmpfs.
> >>>
> >>> Okay. Mounting tmpfs works on 3.9 so far.
> >>>
> >>> >> Anyways, now lxc-start dies here:
> >>> >> lxc-start: Operation not permitted - failed to set mode '020644' to '/dev/pts/1'
> >>> >> which is:
> >>> >> chmod("/dev/pts/1", 020644) = -1 EPERM (Operation not permitted)
> >>> >> Shouldn't this be /usr/lib64/lxc/rootfs/dev/pts/1?!
> >>> >
> >>> > Look at Eric's user namespaces kernel tree for patches which aren't in
> >>> > your tree yet.  (I also have one, but right now it is out of date with
> >>> > respect to some recent fixes Eric has sent upstream.)  Upstream is
> >>> > almost 100% there, but an <eensie weensie> bit away.
> >>>
> >>> Which tree is that?
> >>> git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
> >>> for-linus (and for-next)
> >>> differ only by one commit:
> >>> proc: Restrict mounting the proc filesystem
> >>
> >> you'll probably have better luck with branch userns-always-map-user-v100
> >
> > Nope. Same result.
> > FWIW to build userns-always-map-user-v100 on current Linus tree the
> > following patch is needed:
> > ---
> > diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
> > index f0f0faa..ecfd846 100644
> > --- a/fs/devpts/inode.c
> > +++ b/fs/devpts/inode.c
> > @@ -386,8 +386,8 @@ struct vfsmount *devpts_mntget(struct file *filp)
> >         struct vfsmount *mnt = ERR_PTR(-ENODEV);
> >
> >         /* Verify the mnt is a devpts mount */
> > -       if (filp->f_vfsmnt->mnt_sb->s_magic == DEVPTS_SUPER_MAGIC)
> > -               mnt = mntget(filp->f_vfsmnt);
> > +       if (filp->f_path.mnt->mnt_sb->s_magic == DEVPTS_SUPER_MAGIC)
> > +               mnt = mntget(filp->f_path.mnt);
> >         return mnt;
> >  }
> > ---
> >
> >> The unsafe kernel (until I get time to update it) which definately works
> >> is in ppa ubuntu-lxc/kernel.
> 
> This one?
> https://launchpad.net/~ubuntu-lxc/+archive/kernel/+packages
> 
> I'm not an Ubuntu guy and not very familiar with this ppa thingy.
> Isn't there a git repo to find out what the differences between mainline are?

http://kernel.ubuntu.com/git?p=serge/quantal-userns.git;a=summary

More information about the lxc-devel mailing list