[lxc-devel] [PATCH] Fix to work lxc-destroy with unprivileged containers on recent kernel
S.Çağlar Onur
caglar at 10ur.org
Tue Jul 1 16:07:28 UTC 2014
Hey Stéphane,
On Mon, Jun 30, 2014 at 10:20 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> On Mon, Jun 30, 2014 at 10:09:49PM -0400, S.Çağlar Onur wrote:
>> Hey there,
>>
>> This change set caused my go test suite to fail unexpectedly. Some of
>> my tests produced errors like
>>
>> === RUN TestClone
>> lxc_container: Error chgrp /home/caglar/.local/share/lxc/consectetur/rootfs
>> --- PASS: TestClone (6.31 seconds)
>>
>> or
>>
>> lxc_container: failed mounting
>> /home/caglar/.local/share/lxcsnaps/lorem/snap0/rootfs onto
>> /home/caglar/.local/share/lxcsnaps/lorem/snap0/rootfs
>> lxc_container: Error copying storage
>> --- FAIL: TestRestoreSnapshot (76.30 seconds)
>> lxc_test.go:241: restoring the container failed
>>
>> Then, some other test cases started to run multiple times for no
>> reason and they eventually got stuck (see
>> http://paste.ubuntu.com/7729266/ for an example)
>>
>> I'm on ubuntu trusty with latest kernel (3.13.0-30-generic) and using
>> stable-1.0 branch. Reverting following three commits made my tests
>> happy again
>>
>> * "Cast to gid_t to fix android build failure", commit
>> 8c760bbd101b033ab7dbbd518f4500572b204d9a.
>>
>> * "Fix to work lxc-start with unprivileged containers on recent
>> kernel", commit bd3214ff7f39956924baa83a6cfbdd542268b44.
>>
>> * "Fix to work lxc-destroy with unprivileged containers on recent
>> kernel", commit 308fddd2e93bd6ae83f089d5a7e914e7134901cf.
>>
>> I'm not sure what triggers this problem. Unfortunately I don't have
>> enough time to debug it further now but will try find some time. In
>> the meantime, I'm wondering whether you are experiencing some test
>> failures on your ci system as well.
>
> No, I had all CI tests run 3-4 times today with those commits and I
> didn't get a single failure. The CI environment is Ubuntu 14.04 with the
> 3.13 kernel, so should be identical to what you have, except that we're
> running the C and python3 tests only.
OK, good to know.
> I wonder what could be causing this issue for the Go binding, some weird
> threading bug again?
Yeah it looks like it. Will try to dig in more over the weekend and
will let you know if I can find something or somehow able to reproduce
the issue outside of the go world.
>>
>> On Mon, Jun 30, 2014 at 10:46 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> > Quoting KATOH Yasufumi (karma at jazz.email.ne.jp):
>> >> Hi,
>> >>
>> >> I applied this patch and test. lxc-destroy work fine. :-)
>> >>
>> >> >>> On Sat, 28 Jun 2014 18:39:54 +0900
>> >> in message "[lxc-devel] [PATCH] Fix to work lxc-destroy with unprivileged containers on recent kernel"
>> >> TAMUKI Shoichi-san wrote:
>> >>
>> >> > Change idmap_add_id() to add both ID_TYPE_UID and ID_TYPE_GID entries
>> >> > to an existing lxc_conf, not just an ID_TYPE_UID entry, so as to work
>> >> > lxc-destroy with unprivileged containers on recent kernel.
>> >>
>> >> > Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
>> >>
>> >> Acked-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
>> >
>> > Thanks again!
>> >
>> > Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
>> >
>> >> > ---
>> >> > src/lxc/conf.c | 49 ++++++++++++++++++++++++++++++++++---------------
>> >> > 1 file changed, 34 insertions(+), 15 deletions(-)
>> >>
>> >> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
>> >> > index df2f7cc..70f57af 100644
>> >> > --- a/src/lxc/conf.c
>> >> > +++ b/src/lxc/conf.c
>> >> > @@ -4508,14 +4508,14 @@ static int run_userns_fn(void *data)
>> >> > }
>> >>
>> >> > /*
>> >> > - * Add a ID_TYPE_UID entry to an existing lxc_conf, if it is not
>> >> > - * alread there.
>> >> > - * We may want to generalize this to do gids as well as uids, but right now
>> >> > - * it's not necessary.
>> >> > + * Add ID_TYPE_UID/ID_TYPE_GID entries to an existing lxc_conf,
>> >> > + * if they are not already there.
>> >> > */
>> >> > -static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
>> >> > +static struct lxc_list *idmap_add_id(struct lxc_conf *conf,
>> >> > + uid_t uid, gid_t gid)
>> >> > {
>> >> > - int hostid_mapped = mapped_hostid(uid, conf, ID_TYPE_UID);
>> >> > + int hostuid_mapped = mapped_hostid(uid, conf, ID_TYPE_UID);
>> >> > + int hostgid_mapped = mapped_hostid(gid, conf, ID_TYPE_GID);
>> >> > struct lxc_list *new = NULL, *tmp, *it, *next;
>> >> > struct id_map *entry;
>> >>
>> >> > @@ -4526,9 +4526,9 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
>> >> > }
>> >> > lxc_list_init(new);
>> >>
>> >> > - if (hostid_mapped < 0) {
>> >> > - hostid_mapped = find_unmapped_nsuid(conf, ID_TYPE_UID);
>> >> > - if (hostid_mapped < 0)
>> >> > + if (hostuid_mapped < 0) {
>> >> > + hostuid_mapped = find_unmapped_nsuid(conf, ID_TYPE_UID);
>> >> > + if (hostuid_mapped < 0)
>> >> > goto err;
>> >> > tmp = malloc(sizeof(*tmp));
>> >> > if (!tmp)
>> >> > @@ -4540,8 +4540,27 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
>> >> > }
>> >> > tmp->elem = entry;
>> >> > entry->idtype = ID_TYPE_UID;
>> >> > - entry->nsid = hostid_mapped;
>> >> > - entry->hostid = (unsigned long)uid;
>> >> > + entry->nsid = hostuid_mapped;
>> >> > + entry->hostid = (unsigned long) uid;
>> >> > + entry->range = 1;
>> >> > + lxc_list_add_tail(new, tmp);
>> >> > + }
>> >> > + if (hostgid_mapped < 0) {
>> >> > + hostgid_mapped = find_unmapped_nsuid(conf, ID_TYPE_GID);
>> >> > + if (hostgid_mapped < 0)
>> >> > + goto err;
>> >> > + tmp = malloc(sizeof(*tmp));
>> >> > + if (!tmp)
>> >> > + goto err;
>> >> > + entry = malloc(sizeof(*entry));
>> >> > + if (!entry) {
>> >> > + free(tmp);
>> >> > + goto err;
>> >> > + }
>> >> > + tmp->elem = entry;
>> >> > + entry->idtype = ID_TYPE_GID;
>> >> > + entry->nsid = hostgid_mapped;
>> >> > + entry->hostid = (unsigned long) gid;
>> >> > entry->range = 1;
>> >> > lxc_list_add_tail(new, tmp);
>> >> > }
>> >> > @@ -4563,7 +4582,7 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
>> >> > return new;
>> >>
>> >> > err:
>> >> > - ERROR("Out of memory building a new uid map");
>> >> > + ERROR("Out of memory building a new uid/gid map");
>> >> > if (new)
>> >> > lxc_free_idmap(new);
>> >> > free(new);
>> >> > @@ -4572,7 +4591,7 @@ err:
>> >>
>> >> > /*
>> >> > * Run a function in a new user namespace.
>> >> > - * The caller's euid will be mapped in if it is not already.
>> >> > + * The caller's euid/egid will be mapped in if it is not already.
>> >> > */
>> >> > int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
>> >> > {
>> >> > @@ -4597,8 +4616,8 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
>> >> > close(p[0]);
>> >> > p[0] = -1;
>> >>
>> >> > - if ((idmap = idmap_add_id(conf, geteuid())) == NULL) {
>> >> > - ERROR("Error adding self to container uid map");
>> >> > + if ((idmap = idmap_add_id(conf, geteuid(), getegid())) == NULL) {
>> >> > + ERROR("Error adding self to container uid/gid map");
>> >> > goto err;
>> >> > }
>> >>
>> >> > --
>> >> > 1.9.0
>> >> > _______________________________________________
>> >> > lxc-devel mailing list
>> >> > lxc-devel at lists.linuxcontainers.org
>> >> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>> >> _______________________________________________
>> >> lxc-devel mailing list
>> >> lxc-devel at lists.linuxcontainers.org
>> >> http://lists.linuxcontainers.org/listinfo/lxc-devel
>> > _______________________________________________
>> > lxc-devel mailing list
>> > lxc-devel at lists.linuxcontainers.org
>> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>>
>>
>>
>> --
>> S.Çağlar Onur <caglar at 10ur.org>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
--
S.Çağlar Onur <caglar at 10ur.org>
More information about the lxc-devel
mailing list