[lxc-devel] Unprivileged setns

S.Çağlar Onur caglar at 10ur.org
Mon Jan 20 21:06:41 UTC 2014 

Hi Stéphane,

On Mon, Jan 20, 2014 at 3:08 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> Hey everyone,
>
> So I spent some time this morning trying to figure out if setns to
> unprivileged containers was even possible.
>
> The good news is that it is, the bad news is that setns back to the
> original namespace isn't allowed.
>
> So in practice, with this patch[0] I can get lxc-info to show
> information from an unprivileged containers like so:
>
> stgraber at castiana:~/Desktop$ lxc-info -n p1
> Name:           p1
> State:          RUNNING
> PID:            24704
> lxc_container: Operation not permitted - failed to setns
> lxc_container: Operation not permitted - failed to setns
> IP:             10.0.3.124
> IP:             10.0.4.1
> IP:             2607:f2c0:f00f:2751:5c41:a8fd:1169:6041
> IP:             2607:f2c0:f00f:2751:ac15:54ff:fed5:8b4a

Cool, I was trying to do the same this morning with no luck. I just
tried your patch to see what will happen and unfortunately it's pretty
much the same error that I was getting.

I'm on saucy with trusy kernel and now started to wonder whether this
could be related with the libc version that I'm using or something
else. Here is what happens with your patch applied (with two
additional lines for writing the function name for debugging).

[caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] ./list
You are using LXC as an unprivileged user. Some functionality may not work.

2014/01/20 16:03:42 Defined containers:
2014/01/20 16:03:42 rubik (STOPPED)
2014/01/20 16:03:42
2014/01/20 16:03:42 Active containers:
2014/01/20 16:03:42
2014/01/20 16:03:42 Active and Defined containers:

[caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] ./start
You are using LXC as an unprivileged user. Some functionality may not work.

2014/01/20 16:03:43 Starting the container...

[caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] ./list
You are using LXC as an unprivileged user. Some functionality may not work.

2014/01/20 16:03:44 Defined containers:
2014/01/20 16:03:44 rubik (RUNNING)
2014/01/20 16:03:44
2014/01/20 16:03:44 Active containers:
2014/01/20 16:03:44 rubik (RUNNING)
2014/01/20 16:03:44
2014/01/20 16:03:44 Active and Defined containers:
2014/01/20 16:03:44 rubik (RUNNING)

[caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] ./ipaddress
You are using LXC as an unprivileged user. Some functionality may not work.

2014/01/20 16:03:47 IPAddress("lo")
lxc_container: enter_to_ns
lxc_container: Invalid argument - failed to setns CLONE_NEWUSER
lxc_container: exit_from_ns
lxc_container: Invalid argument - failed to setns CLONE_NEWUSER
lxc_container: Operation not permitted - failed to setns CLONE_NEWNET
lxc_container: exit_from_ns
lxc_container: Bad file descriptor - failed to setns CLONE_NEWUSER
lxc_container: Bad file descriptor - failed to setns CLONE_NEWNET
2014/01/20 16:03:47 ERROR: getting IP address on the interface lo of
the container "rubik" failed

[caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] sudo
./ipaddress -lxcpath=/home/caglar/.local/share/lxc
2014/01/20 16:05:37 IPAddress("lo")
lxc_container: enter_to_ns
lxc_container: exit_from_ns
2014/01/20 16:05:37 0) 127.0.0.1
2014/01/20 16:05:37 1) ::1
2014/01/20 16:05:37 IPAddresses()
lxc_container: enter_to_ns
lxc_container: exit_from_ns
2014/01/20 16:05:37 0) 10.0.3.153
2014/01/20 16:05:37 IPv4Addresses()
lxc_container: enter_to_ns
lxc_container: exit_from_ns
2014/01/20 16:05:37 0) 10.0.3.153
2014/01/20 16:05:37 IPv6Addresses()
lxc_container: enter_to_ns
lxc_container: exit_from_ns
2014/01/20 16:05:37 ERROR: getting IPv6 addresses of the container
"rubik" failed


>
> The problem obviously comes from those two error messages which say that
> setns back to the original namespace failed.
>
> I can't think of a nice way around this particular limitation nor am I
> convinced that there is any safe way to fix that at the kernel level.
> (CCing Eric in case there's something I missed)
>
> The obvious thing we could do is instead of doing the setns calls in
> process, instead fork a child, have it do the setns and send the result
> of the command back to the original caller. However doing that is likely
> going to take a bit more time than I have available right now, so if
> someone's interested, that'd be a great thing to have for 1.0.
>
> [0] http://paste.ubuntu.com/6787869/
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>

Best,
-- 
S.Çağlar Onur <caglar at 10ur.org>

More information about the lxc-devel mailing list