[lxc-devel] [PATCH] Fix to work lxc-destroy with unprivileged containers on recent kernel

Wed Jul 2 03:45:12 UTC 2014

Quoting S.Çağlar Onur (caglar at 10ur.org):
> OK I think I'm seeing something but haven't found the real problem,
> yet. Looks like some caller (or the caller of the caller etc.) is not
> checking the return code of the chown_mapped_root (from
> src/lxc/conf.c) function and trying to progress. That seems to be
> causing this problem. The following patch makes my tests happy again
> (chown is failing with EACCES on my machine)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index bdd623a..12f1690 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -3566,10 +3566,10 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
>                 }
> 
>                 // a trick for chgrp the file that is not owned by oneself
> -               if (chown(path, -1, hostgid) < 0) {
> -                       ERROR("Error chgrp %s", path);
> -                       return -1;
> -               }
> +               //if (chown(path, -1, hostgid) < 0) {
> +               //      ERROR("Error chgrp %s", path);
> +               //      return -1;
> +               //}
> 
>                 // "u:0:rootuid:1"
>                 ret = snprintf(map1, 100, "u:0:%d:1", rootuid);
> 
> Try to create an unprivileged container and then clone it, you will
> see "lxc_container: Error chgrp" error but interestingly lxc-clone is

Ah, maybe that makes sense.  Can you add a debug line to print out
the path, the current st_uid and st_gid of both the path and the
dirname(path)?

Actually if you simply check at the top of chown_mapped_root() whether
path is already owned by the container root, and return 0 (shortcutting
the rest of the work) if so, you may work around it.

-serge