[lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1
KATOH Yasufumi
karma at jazz.email.ne.jp
Mon Jun 23 10:36:58 UTC 2014
>>> On Fri, 20 Jun 2014 18:33:40 +0000
in message "Re: [lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1"
Serge Hallyn-san wrote:
> > The owning group of /dev/pts/* is 'tty' group. Isn't it related?
> Oh, yeah, then you'll need to make it
> lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:100:5:1 -- chown 0 /dev/pts/3
I tried this:
$ lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:100:5:1 -- chown 0 /dev/pts/1
newgidmap: gid range [100-101) -> [5-6) not allowed
setgid: Invalid argument
'newgidmap' is only success when
* specified range is allowed to the user in the /etc/subgid file
or
* specified range is own gid
but in this case, both are false.
When specified '-m g:0:100000:1 -m g:100:5:1', lxc-usernsexec run the
followed command:
newgidmap [PID] 0 100000 1 100 5 1
The first part (0 100000 1) is allowed, but the second part is
false in verify_range function (in newgidmap.c in shadow), so it is
disallowed:
/* Allow a process to map it's own gid */
if ((range->count == 1) && (pw->pw_gid == range->lower))
return true;
return false;
What should we do? or do I something mistake?
Thanks,
KATOH Yasufumi
More information about the lxc-devel
mailing list