[lxc-devel] Unprivileged setns

S.Çağlar Onur caglar at 10ur.org
Mon Jan 20 21:19:33 UTC 2014 

Hi Stéphane,

On Mon, Jan 20, 2014 at 4:06 PM, S.Çağlar Onur <caglar at 10ur.org> wrote:
> Hi Stéphane,
>
> On Mon, Jan 20, 2014 at 3:08 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
>> Hey everyone,
>>
>> So I spent some time this morning trying to figure out if setns to
>> unprivileged containers was even possible.
>>
>> The good news is that it is, the bad news is that setns back to the
>> original namespace isn't allowed.
>>
>> So in practice, with this patch[0] I can get lxc-info to show
>> information from an unprivileged containers like so:
>>
>> stgraber at castiana:~/Desktop$ lxc-info -n p1
>> Name:           p1
>> State:          RUNNING
>> PID:            24704
>> lxc_container: Operation not permitted - failed to setns
>> lxc_container: Operation not permitted - failed to setns
>> IP:             10.0.3.124
>> IP:             10.0.4.1
>> IP:             2607:f2c0:f00f:2751:5c41:a8fd:1169:6041
>> IP:             2607:f2c0:f00f:2751:ac15:54ff:fed5:8b4a
>
> Cool, I was trying to do the same this morning with no luck. I just
> tried your patch to see what will happen and unfortunately it's pretty
> much the same error that I was getting.
>
> I'm on saucy with trusy kernel and now started to wonder whether this
> could be related with the libc version that I'm using or something
> else. Here is what happens with your patch applied (with two
> additional lines for writing the function name for debugging).

Hmm, it looks like go runtime is causing some trouble because calling
the get_ips directly via C API works as expected.

[caglar at oOo:~/Projects/lxc-c] cat ip.c
#include <stdio.h>
#include <stdlib.h>

#include <lxc/lxccontainer.h>

int main(int argc, char *argv[]) {
    int i;
    struct lxc_container *c;

    c = lxc_container_new("rubik", NULL);

    char **addresses = c->get_ips(c, NULL, NULL, 0);
    if (addresses) {
        char *address;
        i = 0;
        while (addresses[i]) {
            address = addresses[i];
            printf("IP: %s\n", address);
            i++;
        }
    }

    lxc_container_put(c);

    return 0;
}

[caglar at oOo:~/Projects/lxc-c] gcc ip.c -llxc -o ip
[caglar at oOo:~/Projects/lxc-c] ./ip
lxc_container: enter_to_ns
lxc_container: exit_from_ns
lxc_container: Operation not permitted - failed to setns CLONE_NEWUSER
lxc_container: Operation not permitted - failed to setns CLONE_NEWNET
IP: 10.0.3.153
[caglar at oOo:~/Projects/lxc-c]


> [caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] ./list
> You are using LXC as an unprivileged user. Some functionality may not work.
>
> 2014/01/20 16:03:42 Defined containers:
> 2014/01/20 16:03:42 rubik (STOPPED)
> 2014/01/20 16:03:42
> 2014/01/20 16:03:42 Active containers:
> 2014/01/20 16:03:42
> 2014/01/20 16:03:42 Active and Defined containers:
>
> [caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] ./start
> You are using LXC as an unprivileged user. Some functionality may not work.
>
> 2014/01/20 16:03:43 Starting the container...
>
> [caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] ./list
> You are using LXC as an unprivileged user. Some functionality may not work.
>
> 2014/01/20 16:03:44 Defined containers:
> 2014/01/20 16:03:44 rubik (RUNNING)
> 2014/01/20 16:03:44
> 2014/01/20 16:03:44 Active containers:
> 2014/01/20 16:03:44 rubik (RUNNING)
> 2014/01/20 16:03:44
> 2014/01/20 16:03:44 Active and Defined containers:
> 2014/01/20 16:03:44 rubik (RUNNING)
>
> [caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] ./ipaddress
> You are using LXC as an unprivileged user. Some functionality may not work.
>
> 2014/01/20 16:03:47 IPAddress("lo")
> lxc_container: enter_to_ns
> lxc_container: Invalid argument - failed to setns CLONE_NEWUSER
> lxc_container: exit_from_ns
> lxc_container: Invalid argument - failed to setns CLONE_NEWUSER
> lxc_container: Operation not permitted - failed to setns CLONE_NEWNET
> lxc_container: exit_from_ns
> lxc_container: Bad file descriptor - failed to setns CLONE_NEWUSER
> lxc_container: Bad file descriptor - failed to setns CLONE_NEWNET
> 2014/01/20 16:03:47 ERROR: getting IP address on the interface lo of
> the container "rubik" failed
>
> [caglar at oOo:~/go/src/github.com/caglar10ur/lxc/examples] sudo
> ./ipaddress -lxcpath=/home/caglar/.local/share/lxc
> 2014/01/20 16:05:37 IPAddress("lo")
> lxc_container: enter_to_ns
> lxc_container: exit_from_ns
> 2014/01/20 16:05:37 0) 127.0.0.1
> 2014/01/20 16:05:37 1) ::1
> 2014/01/20 16:05:37 IPAddresses()
> lxc_container: enter_to_ns
> lxc_container: exit_from_ns
> 2014/01/20 16:05:37 0) 10.0.3.153
> 2014/01/20 16:05:37 IPv4Addresses()
> lxc_container: enter_to_ns
> lxc_container: exit_from_ns
> 2014/01/20 16:05:37 0) 10.0.3.153
> 2014/01/20 16:05:37 IPv6Addresses()
> lxc_container: enter_to_ns
> lxc_container: exit_from_ns
> 2014/01/20 16:05:37 ERROR: getting IPv6 addresses of the container
> "rubik" failed
>
>
>>
>> The problem obviously comes from those two error messages which say that
>> setns back to the original namespace failed.
>>
>> I can't think of a nice way around this particular limitation nor am I
>> convinced that there is any safe way to fix that at the kernel level.
>> (CCing Eric in case there's something I missed)
>>
>> The obvious thing we could do is instead of doing the setns calls in
>> process, instead fork a child, have it do the setns and send the result
>> of the command back to the original caller. However doing that is likely
>> going to take a bit more time than I have available right now, so if
>> someone's interested, that'd be a great thing to have for 1.0.
>>
>> [0] http://paste.ubuntu.com/6787869/
>>
>> --
>> Stéphane Graber
>> Ubuntu developer
>> http://www.ubuntu.com
>>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
>>
>
> Best,
> --
> S.Çağlar Onur <caglar at 10ur.org>



-- 
S.Çağlar Onur <caglar at 10ur.org>

More information about the lxc-devel mailing list