[lxc-devel] problem with user namespace as root

Stephan Sachse ste.sachse at gmail.com
Wed Feb 12 13:58:54 UTC 2014 

os: centos-6.5
kernel: 3.13.2-2.el6.x86_64 (handcrafted rpm)
lxc: 1.0.0-0.4.3.beta4.el6.x86_64 (handcrafted rpm from git ce79774)

  lxc-create -n fedora1 -t fedora -- -R 20
  lxc-start -n fedora1 -d
  lxc-console -n fedora1
  lxc-stop -n fedora1

all works fine :)

  # ls -l /var/lib/lxc/fedora1/
  -rw-r--r--  1 root root 1118 12. Feb 12:10 config
  dr-xr-xr-x 18 root root 4096 12. Feb 12:15 rootfs
  lrwxrwxrwx  1 root root   34 12. Feb 12:15 rootfs.dev ->
/dev/.lxc/fedora1.533098688727054a

  # ls -l /dev/.lxc/
  drwxr-xr-x 8 root root 540 12. Feb 12:15 fedora1.533098688727054a
  drwxrwxrwt 2 root root  40 12. Feb 12:12 user

  # ls -l /dev/.lxc/fedora1.533098688727054a
  drwxr-xr-x 2 root root  160 12. Feb 12:12 char
  lrwxrwxrwx 1 root root   11 12. Feb 12:15 console -> lxc/console
  lrwxrwxrwx 1 root root   11 12. Feb 12:12 core -> /proc/kcore
  lrwxrwxrwx 1 root root   13 12. Feb 12:12 fd -> /proc/self/fd
  crw-rw-rw- 1 root root 1, 7 12. Feb 12:15 full
  drwxr-xr-x 2 root root   40 12. Feb 12:12 hugepages
  prw------- 1 root root    0 12. Feb 12:12 initctl
  lrwxrwxrwx 1 root root    7 12. Feb 12:15 kmsg -> console
  drwxr-xr-x 2 root root  140 12. Feb 12:12 lxc
  drwxr-xr-x 2 root root   40 12. Feb 12:12 mqueue
  crw-rw-rw- 1 root root 1, 3 12. Feb 12:15 null
  lrwxrwxrwx 1 root root   13 12. Feb 12:12 ptmx -> /dev/pts/ptmx
  drwxr-xr-x 2 root root   40 12. Feb 12:12 pts
  crw-rw-rw- 1 root root 1, 8 12. Feb 12:15 random
  drwxr-xr-x 2 root root   40 12. Feb 12:12 shm
  lrwxrwxrwx 1 root root   15 12. Feb 12:12 stderr -> /proc/self/fd/2
  lrwxrwxrwx 1 root root   15 12. Feb 12:12 stdin -> /proc/self/fd/0
  lrwxrwxrwx 1 root root   15 12. Feb 12:12 stdout -> /proc/self/fd/1
  crw-rw-rw- 1 root tty  5, 0 12. Feb 12:15 tty
  lrwxrwxrwx 1 root root    8 12. Feb 12:15 tty1 -> lxc/tty1
  lrwxrwxrwx 1 root root    8 12. Feb 12:15 tty2 -> lxc/tty2
  lrwxrwxrwx 1 root root    8 12. Feb 12:15 tty3 -> lxc/tty3
  lrwxrwxrwx 1 root root    8 12. Feb 12:15 tty4 -> lxc/tty4
  crw-rw-rw- 1 root root 1, 9 12. Feb 12:15 urandom
  crw-rw-rw- 1 root root 1, 5 12. Feb 12:15 zero

now reboot and see that /dev/.lxc is lost. but no problem, lxc-start
-n fedora1 -d creates it again and all works fine.

now aktivate the user namespace (map user root from container to uid
100000 on the host, all other as is)

  ~/uidmapshift -b /var/lib/lxc/fedora1/rootfs 0 100000 1

edit /var/lib/lxc/fedora1/config and add

  lxc.id_map = u 0 100000 1
  lxc.id_map = g 0 100000 1

try to start the container

  # lxc-start -l debug -o debug1.log -n fedora1
  lxc-start: File exists - WARNING: Failed to create symlink
'/var/lib/lxc/fedora1/rootfs.dev'->'/dev/.lxc/
fedora1.533098688727054a'

  lxc-start: Invalid argument - failed to mount a new instance of '/dev/pts'
  lxc-start: failed to setup the new pts instance
  lxc-start: failed to setup the container
  lxc-start: invalid sequence number 1. expected 2
  lxc-start: failed to spawn 'fedora1'

the debug1.log is attached.

now reboot. /dev/.lxc is lost again. try to start container fedora1
with user namespace enabled

  # lxc-start -l debug -o debug2.log -n fedora1
  lxc-start: Permission denied - Unable to create /dev/.lxc for autodev
  lxc-start: Operation not permitted - Error creating null

  lxc-start: failed to populate /dev in the container
  lxc-start: failed to setup the container
  lxc-start: invalid sequence number 1. expected 2
  lxc-start: failed to spawn 'fedora1'

the debug2.log attached

my config for fedora1 is attache as config.txt

where is the fault?

/stephan

-- 
Software is like sex, it's better when it's free!
-------------- next part --------------
# Template used to create this container: /usr/share/lxc/templates/lxc-fedora
# Parameters passed to the template: -R 20
# For additional config options, please look at lxc.conf(5)
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = fe:51:02:2c:73:fa
lxc.rootfs = /var/lib/lxc/fedora1/rootfs


lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024

lxc.utsname = fedora1
lxc.autodev = 1

lxc.id_map = u 0 100000 1
lxc.id_map = g 0 100000 1

# systemctl start halt.target
lxc.haltsignal = SIGRTMIN+3

# Immediately halts the machine.
lxc.stopsignal = SIGRTMIN+13

lxc.hook.clone = /usr/share/lxc/hooks/clonehostname

lxc.cap.drop = mac_admin mac_override
lxc.cap.drop = setfcap
lxc.cap.drop = sys_module sys_nice sys_pacct
lxc.cap.drop = sys_rawio sys_time

# Control Group devices: all denied except those whitelisted
lxc.cgroup.devices.deny = a
# Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
# /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
# /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
# /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
# /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
# /dev/tty[1-4] ptys and lxc console
lxc.cgroup.devices.allow = c 136:* rwm
# /dev/ptmx pty master
lxc.cgroup.devices.allow = c 5:2 rwm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug1.log
Type: text/x-log
Size: 7070 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140212/2ccd3521/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug2.log
Type: text/x-log
Size: 4633 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140212/2ccd3521/attachment-0001.bin>

More information about the lxc-devel mailing list