[lxc-devel] Unprivileged setns

Stéphane Graber stgraber at ubuntu.com
Mon Jan 20 20:08:26 UTC 2014


Hey everyone,

So I spent some time this morning trying to figure out if setns to
unprivileged containers was even possible.

The good news is that it is, the bad news is that setns back to the
original namespace isn't allowed.

So in practice, with this patch[0] I can get lxc-info to show
information from an unprivileged containers like so:

stgraber at castiana:~/Desktop$ lxc-info -n p1
Name:           p1
State:          RUNNING
PID:            24704
lxc_container: Operation not permitted - failed to setns
lxc_container: Operation not permitted - failed to setns
IP:             10.0.3.124
IP:             10.0.4.1
IP:             2607:f2c0:f00f:2751:5c41:a8fd:1169:6041
IP:             2607:f2c0:f00f:2751:ac15:54ff:fed5:8b4a


The problem obviously comes from those two error messages which say that
setns back to the original namespace failed.

I can't think of a nice way around this particular limitation nor am I
convinced that there is any safe way to fix that at the kernel level.
(CCing Eric in case there's something I missed)

The obvious thing we could do is instead of doing the setns calls in
process, instead fork a child, have it do the setns and send the result
of the command back to the original caller. However doing that is likely
going to take a bit more time than I have available right now, so if
someone's interested, that'd be a great thing to have for 1.0.

[0] http://paste.ubuntu.com/6787869/

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140120/dc454fab/attachment.pgp>


More information about the lxc-devel mailing list