[lxc-devel] [PATCH] Fix to work lxc-destroy with unprivileged containers on recent kernel

S.Çağlar Onur caglar at 10ur.org
Thu Jul 3 18:36:58 UTC 2014 

On Tue, Jul 1, 2014 at 11:45 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting S.Çağlar Onur (caglar at 10ur.org):
>> OK I think I'm seeing something but haven't found the real problem,
>> yet. Looks like some caller (or the caller of the caller etc.) is not
>> checking the return code of the chown_mapped_root (from
>> src/lxc/conf.c) function and trying to progress. That seems to be
>> causing this problem. The following patch makes my tests happy again
>> (chown is failing with EACCES on my machine)
>>
>> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
>> index bdd623a..12f1690 100644
>> --- a/src/lxc/conf.c
>> +++ b/src/lxc/conf.c
>> @@ -3566,10 +3566,10 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
>>                 }
>>
>>                 // a trick for chgrp the file that is not owned by oneself
>> -               if (chown(path, -1, hostgid) < 0) {
>> -                       ERROR("Error chgrp %s", path);
>> -                       return -1;
>> -               }
>> +               //if (chown(path, -1, hostgid) < 0) {
>> +               //      ERROR("Error chgrp %s", path);
>> +               //      return -1;
>> +               //}
>>
>>                 // "u:0:rootuid:1"
>>                 ret = snprintf(map1, 100, "u:0:%d:1", rootuid);
>>
>> Try to create an unprivileged container and then clone it, you will
>> see "lxc_container: Error chgrp" error but interestingly lxc-clone is
>
> Ah, maybe that makes sense.  Can you add a debug line to print out
> the path, the current st_uid and st_gid of both the path and the
> dirname(path)?
>
> Actually if you simply check at the top of chown_mapped_root() whether
> path is already owned by the container root, and return 0 (shortcutting
> the rest of the work) if so, you may work around it.

Running following with this debug patch applied

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index bdd623a..44fc88a 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3567,6 +3567,7 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)

                // a trick for chgrp the file that is not owned by oneself
                if (chown(path, -1, hostgid) < 0) {
+                      ERROR("Path: %s dirname: %s uid: %d gid: %d
hostuid: %d hostgid: %d", path, dirname(path), sb.st_uid, sb.st_gid,
hostuid, hostgid);
                        ERROR("Error chgrp %s", path);
                        return -1;
                }


[caglar at qop:~] cat ll.sh
lxc-create -q -t download -n rubik -- -d ubuntu -r trusty -a amd64
ls -al /home/caglar/.local/share/lxc/
ls -al /home/caglar/.local/share/lxc/rubik/
lxc-clone -n kibur rubik
ls -al /home/caglar/.local/share/lxc/
ls -al /home/caglar/.local/share/lxc/kibur/
lxc-destroy -n kibur
lxc-destroy -n rubik

Shows this, notice how cloned container doesn't have a rootfs
directory and lxc-clone outputs "Created container kibur as copy of
rubik" two times.

[caglar at qop:~] bash ll.sh
total 4
drwxr-xr-x 1 caglar caglar   42 Jul  3 14:32 .
drwxr-xr-x 1 caglar caglar  454 Jul  1 22:49 ..
-rw-rw-r-- 1 caglar caglar 1616 Jul  3 14:20 lxc-monitord.log
drwxr-xr-x 1 caglar caglar   24 Jul  3 14:32 rubik

total 4
drwxr-xr-x 1 caglar caglar  24 Jul  3 14:32 .
drwxr-xr-x 1 caglar caglar  42 Jul  3 14:32 ..
-rw-rw-r-- 1 caglar caglar 621 Jul  3 14:32 config
drwxr-xr-x 1 100000 100000 132 Jun 14 00:05 rootfs

lxc_container: Path: /home/caglar/.local/share/lxc/kibur dirname:
/home/caglar/.local/share/lxc/kibur uid: 100000 gid: 1000 hostuid:
1000 hostgid: 1000
lxc_container: Error chgrp /home/caglar/.local/share/lxc/kibur
Created container kibur as copy of rubik
Created container kibur as copy of rubik

total 4
drwxr-xr-x 1 caglar caglar   52 Jul  3 14:32 .
drwxr-xr-x 1 caglar caglar  454 Jul  1 22:49 ..
drwxr-xr-x 1 100000 100000  156 Jun 14 00:05 kibur
-rw-rw-r-- 1 caglar caglar 1616 Jul  3 14:20 lxc-monitord.log
drwxr-xr-x 1 caglar caglar   24 Jul  3 14:32 rubik

total 4
drwxr-xr-x 1 100000 100000  156 Jun 14 00:05 .
drwxr-xr-x 1 caglar caglar   52 Jul  3 14:32 ..
drwxr-xr-x 1 100000 100000 1372 Jun 14 00:05 bin
drwxr-xr-x 1 100000 100000    0 Apr 10 18:12 boot
-rw-rw-r-- 1 caglar caglar 1419 Jul  3 14:32 config
drwxr-xr-x 1 100000 100000   64 Jun 14 00:04 dev
drwxr-xr-x 1 100000 100000 2168 Jul  3 14:32 etc
drwxr-xr-x 1 100000 100000   12 Jun 14 00:06 home
drwxr-xr-x 1 100000 100000  228 Jun 14 00:04 lib
drwxr-xr-x 1 100000 100000   40 Jun 14 00:04 lib64
drwxr-xr-x 1 100000 100000    0 Jun 14 00:04 media
drwxr-xr-x 1 100000 100000    0 Apr 10 18:12 mnt
drwxr-xr-x 1 100000 100000    0 Jun 14 00:04 opt
drwxr-xr-x 1 100000 100000    0 Apr 10 18:12 proc
drwx------ 1 100000 100000   30 Jun 14 00:04 root
drwxr-xr-x 1 100000 100000  132 Jun 14 00:05 rootfs
drwxr-xr-x 1 100000 100000  110 Jun 14 00:04 run
drwxr-xr-x 1 100000 100000 2072 Jun 14 00:05 sbin
drwxr-xr-x 1 100000 100000    0 Jun 14 00:04 srv
drwxr-xr-x 1 100000 100000    0 Mar 12 21:41 sys
drwxrwxrwt 1 100000 100000    0 Jun 14 00:05 tmp
drwxr-xr-x 1 100000 100000   70 Jun 14 00:04 usr
drwxr-xr-x 1 100000 100000   90 Jun 14 00:04 var

I'll try to spend more time on this over the long weekend.

Best
-- 
S.Çağlar Onur <caglar at 10ur.org>

More information about the lxc-devel mailing list