[lxc-devel] Strange problem (stray mounts) with lxc-create...

Stéphane Graber stgraber at ubuntu.com
Fri Nov 1 17:42:03 UTC 2013 

On Fri, Nov 01, 2013 at 12:19:11PM -0500, Serge Hallyn wrote:
> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > 14 15 0:13 / /proc/sys/fs/binfmt_misc rw,relatime shared:20 - autofs systemd-1 rw,fd=32,pgrp=1,timeout=300,minproto=5,maxproto=5,direct
> 
> D'oh.  D'oh.  D'oh.
> 
> I've been going over detect_shared_rootfs() again and again, confirming
> that it should catch this line and return 1.  But your problem is during
> lxc-create!  Stupid Serge!
> 
> Perhaps the clean solution here is to always do a mount --make-rslave /
> before running the template.  Something like this:
> 
> >From 0edc092d852761a95d3fea8a4746a2c68fa91d84 Mon Sep 17 00:00:00 2001
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
> Date: Fri, 1 Nov 2013 12:17:52 -0500
> Subject: [PATCH 1/1] always remount / rslave before running creation template
>  (if root)
> 
> If we're not root, our mounts in private userns won't get pushed
> back anyway.  If we are root, we need to make sure that anything
> the template does gets cleaned up.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/lxccontainer.c | 15 ++++++++++++++-
>  1 file changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 8b81a63..946133d 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -24,6 +24,7 @@
>  #include <unistd.h>
>  #include <sys/types.h>
>  #include <sys/wait.h>
> +#include <sys/mount.h>
>  #include <errno.h>
>  #include <fcntl.h>
>  #include <sched.h>
> @@ -833,11 +834,23 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool quiet
>  			exit(1);
>  		}
>  
> -		if (strcmp(bdev->type, "dir") != 0) {
> +		if (geteuid() == 0) {
>  			if (unshare(CLONE_NEWNS) < 0) {
>  				ERROR("error unsharing mounts");
>  				exit(1);
>  			}
> +			if (detect_shared_rootfs()) {
> +				if (mount("", "", NULL, MS_SLAVE|MS_REC, 0)) {
> +					SYSERROR("Failed to make / rslave to run template");
> +					ERROR("Continuing...");
> +				}
> +			}
> +		}
> +		if (strcmp(bdev->type, "dir") != 0) {
> +			if (geteuid() != 0) {
> +				ERROR("non-root users can only create directory-backed containers");
> +				exit(1);
> +			}
>  			if (bdev->ops->mount(bdev) < 0) {
>  				ERROR("Error mounting rootfs");
>  				exit(1);
> -- 
> 1.8.3.2
> 
> 
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131101/2a48c691/attachment.pgp>

More information about the lxc-devel mailing list