[lxc-devel] [PATCH] Fix to work lxc-destroy with unprivileged containers on recent kernel
Stéphane Graber
stgraber at ubuntu.com
Tue Jul 1 02:20:21 UTC 2014
On Mon, Jun 30, 2014 at 10:09:49PM -0400, S.Çağlar Onur wrote:
> Hey there,
>
> This change set caused my go test suite to fail unexpectedly. Some of
> my tests produced errors like
>
> === RUN TestClone
> lxc_container: Error chgrp /home/caglar/.local/share/lxc/consectetur/rootfs
> --- PASS: TestClone (6.31 seconds)
>
> or
>
> lxc_container: failed mounting
> /home/caglar/.local/share/lxcsnaps/lorem/snap0/rootfs onto
> /home/caglar/.local/share/lxcsnaps/lorem/snap0/rootfs
> lxc_container: Error copying storage
> --- FAIL: TestRestoreSnapshot (76.30 seconds)
> lxc_test.go:241: restoring the container failed
>
> Then, some other test cases started to run multiple times for no
> reason and they eventually got stuck (see
> http://paste.ubuntu.com/7729266/ for an example)
>
> I'm on ubuntu trusty with latest kernel (3.13.0-30-generic) and using
> stable-1.0 branch. Reverting following three commits made my tests
> happy again
>
> * "Cast to gid_t to fix android build failure", commit
> 8c760bbd101b033ab7dbbd518f4500572b204d9a.
>
> * "Fix to work lxc-start with unprivileged containers on recent
> kernel", commit bd3214ff7f39956924baa83a6cfbdd542268b44.
>
> * "Fix to work lxc-destroy with unprivileged containers on recent
> kernel", commit 308fddd2e93bd6ae83f089d5a7e914e7134901cf.
>
> I'm not sure what triggers this problem. Unfortunately I don't have
> enough time to debug it further now but will try find some time. In
> the meantime, I'm wondering whether you are experiencing some test
> failures on your ci system as well.
No, I had all CI tests run 3-4 times today with those commits and I
didn't get a single failure. The CI environment is Ubuntu 14.04 with the
3.13 kernel, so should be identical to what you have, except that we're
running the C and python3 tests only.
I wonder what could be causing this issue for the Go binding, some weird
threading bug again?
>
> On Mon, Jun 30, 2014 at 10:46 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting KATOH Yasufumi (karma at jazz.email.ne.jp):
> >> Hi,
> >>
> >> I applied this patch and test. lxc-destroy work fine. :-)
> >>
> >> >>> On Sat, 28 Jun 2014 18:39:54 +0900
> >> in message "[lxc-devel] [PATCH] Fix to work lxc-destroy with unprivileged containers on recent kernel"
> >> TAMUKI Shoichi-san wrote:
> >>
> >> > Change idmap_add_id() to add both ID_TYPE_UID and ID_TYPE_GID entries
> >> > to an existing lxc_conf, not just an ID_TYPE_UID entry, so as to work
> >> > lxc-destroy with unprivileged containers on recent kernel.
> >>
> >> > Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
> >>
> >> Acked-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
> >
> > Thanks again!
> >
> > Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> >
> >> > ---
> >> > src/lxc/conf.c | 49 ++++++++++++++++++++++++++++++++++---------------
> >> > 1 file changed, 34 insertions(+), 15 deletions(-)
> >>
> >> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> >> > index df2f7cc..70f57af 100644
> >> > --- a/src/lxc/conf.c
> >> > +++ b/src/lxc/conf.c
> >> > @@ -4508,14 +4508,14 @@ static int run_userns_fn(void *data)
> >> > }
> >>
> >> > /*
> >> > - * Add a ID_TYPE_UID entry to an existing lxc_conf, if it is not
> >> > - * alread there.
> >> > - * We may want to generalize this to do gids as well as uids, but right now
> >> > - * it's not necessary.
> >> > + * Add ID_TYPE_UID/ID_TYPE_GID entries to an existing lxc_conf,
> >> > + * if they are not already there.
> >> > */
> >> > -static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
> >> > +static struct lxc_list *idmap_add_id(struct lxc_conf *conf,
> >> > + uid_t uid, gid_t gid)
> >> > {
> >> > - int hostid_mapped = mapped_hostid(uid, conf, ID_TYPE_UID);
> >> > + int hostuid_mapped = mapped_hostid(uid, conf, ID_TYPE_UID);
> >> > + int hostgid_mapped = mapped_hostid(gid, conf, ID_TYPE_GID);
> >> > struct lxc_list *new = NULL, *tmp, *it, *next;
> >> > struct id_map *entry;
> >>
> >> > @@ -4526,9 +4526,9 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
> >> > }
> >> > lxc_list_init(new);
> >>
> >> > - if (hostid_mapped < 0) {
> >> > - hostid_mapped = find_unmapped_nsuid(conf, ID_TYPE_UID);
> >> > - if (hostid_mapped < 0)
> >> > + if (hostuid_mapped < 0) {
> >> > + hostuid_mapped = find_unmapped_nsuid(conf, ID_TYPE_UID);
> >> > + if (hostuid_mapped < 0)
> >> > goto err;
> >> > tmp = malloc(sizeof(*tmp));
> >> > if (!tmp)
> >> > @@ -4540,8 +4540,27 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
> >> > }
> >> > tmp->elem = entry;
> >> > entry->idtype = ID_TYPE_UID;
> >> > - entry->nsid = hostid_mapped;
> >> > - entry->hostid = (unsigned long)uid;
> >> > + entry->nsid = hostuid_mapped;
> >> > + entry->hostid = (unsigned long) uid;
> >> > + entry->range = 1;
> >> > + lxc_list_add_tail(new, tmp);
> >> > + }
> >> > + if (hostgid_mapped < 0) {
> >> > + hostgid_mapped = find_unmapped_nsuid(conf, ID_TYPE_GID);
> >> > + if (hostgid_mapped < 0)
> >> > + goto err;
> >> > + tmp = malloc(sizeof(*tmp));
> >> > + if (!tmp)
> >> > + goto err;
> >> > + entry = malloc(sizeof(*entry));
> >> > + if (!entry) {
> >> > + free(tmp);
> >> > + goto err;
> >> > + }
> >> > + tmp->elem = entry;
> >> > + entry->idtype = ID_TYPE_GID;
> >> > + entry->nsid = hostgid_mapped;
> >> > + entry->hostid = (unsigned long) gid;
> >> > entry->range = 1;
> >> > lxc_list_add_tail(new, tmp);
> >> > }
> >> > @@ -4563,7 +4582,7 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
> >> > return new;
> >>
> >> > err:
> >> > - ERROR("Out of memory building a new uid map");
> >> > + ERROR("Out of memory building a new uid/gid map");
> >> > if (new)
> >> > lxc_free_idmap(new);
> >> > free(new);
> >> > @@ -4572,7 +4591,7 @@ err:
> >>
> >> > /*
> >> > * Run a function in a new user namespace.
> >> > - * The caller's euid will be mapped in if it is not already.
> >> > + * The caller's euid/egid will be mapped in if it is not already.
> >> > */
> >> > int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
> >> > {
> >> > @@ -4597,8 +4616,8 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
> >> > close(p[0]);
> >> > p[0] = -1;
> >>
> >> > - if ((idmap = idmap_add_id(conf, geteuid())) == NULL) {
> >> > - ERROR("Error adding self to container uid map");
> >> > + if ((idmap = idmap_add_id(conf, geteuid(), getegid())) == NULL) {
> >> > + ERROR("Error adding self to container uid/gid map");
> >> > goto err;
> >> > }
> >>
> >> > --
> >> > 1.9.0
> >> > _______________________________________________
> >> > lxc-devel mailing list
> >> > lxc-devel at lists.linuxcontainers.org
> >> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> >> _______________________________________________
> >> lxc-devel mailing list
> >> lxc-devel at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-devel
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>
>
>
> --
> S.Çağlar Onur <caglar at 10ur.org>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140630/44f371c4/attachment.sig>
More information about the lxc-devel
mailing list