[lxc-devel] [PATCH 1/3] container creation: support unpriv container creation in user namespaces

Fri Oct 25 20:42:48 UTC 2013

On Thu, 2013-10-24 at 21:55 -0500, Serge Hallyn wrote: 
> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > On Wed, 2013-10-23 at 01:02 +0000, Serge Hallyn wrote: 
> > > From: Serge Hallyn <serge.hallyn at ubuntu.com>
> > 
> > > 1. lxcapi_create: don't try to unshare and mount for dir backed containers
> > 
> > > It's unnecessary, and breaks unprivileged lxc-create (since unpriv users
> > > cannot yet unshare(CLONE_NEWNS)).
> > 
> > I saw this and thought "I wonder if this fixes the dangling mount
> > problem" I described in an earlier message.  Nothing to do with being an
> > unpriv user, since it was being run as root, but right smack where that
> > problem seem to be.
> > 
> > Just retested with latest from git...  Problem gone.  This fix seems to
> > have eliminated the dangling mounts on /usr/lib64/lxc/rootfs from
> > lxc-create.

> It shouldn't, but I thought it might.  Can you instrument to confirm
> whether chroot_into_slave() is called on your host?

It does not appear to be getting called in either the code with the
hanging mounts (prior to this commit) or in the latest pull from git.  I
put messages in that, and in setup_rootfs where it's called from and in
lxc_setup where setup_rootfs is called from.  That all seems to be
contained in src/lxc/conf.c.  None of those messages show up when I run
lxc-create.  May be a different story if I'm running lxc-start but this
is in creating a template where the hanging mounts were showing up.

Looking at the git commit logs for when and what I pulled, the last code
with the problem has this as the top commit...

commit bc605ac6dd45b3fb52207c79b49e89ab8dfbd9e0
Author: S.Çağlar Onur <caglar at 10ur.org>
Date:   Sat Oct 19 00:45:03 2013 -0400

The next pull I did pulled in this commit as the forth one down in the
logs...

commit cf3ef16dc479c102433a82b8ddbb4265d3818cce
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date:   Wed Oct 23 01:02:57 2013 +0000

I don't see anything in the commit logs between them that would account
for this problem disappearing.

I reverted back the changes back to this commit and the problem
returned, so it's right there.  That commit seems to have fixed the
hanging mount problem for some reason and it doesn't seem to be
involving chroot_into_slave.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131025/48d489de/attachment.pgp>