[lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jun 23 20:48:26 UTC 2014
Quoting KATOH Yasufumi (karma at jazz.email.ne.jp):
> >>> On Fri, 20 Jun 2014 18:33:40 +0000
> in message "Re: [lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1"
> Serge Hallyn-san wrote:
>
> > > The owning group of /dev/pts/* is 'tty' group. Isn't it related?
>
> > Oh, yeah, then you'll need to make it
>
> > lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:100:5:1 -- chown 0 /dev/pts/3
>
> I tried this:
> $ lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:100:5:1 -- chown 0 /dev/pts/1
> newgidmap: gid range [100-101) -> [5-6) not allowed
> setgid: Invalid argument
>
> 'newgidmap' is only success when
> * specified range is allowed to the user in the /etc/subgid file
> or
> * specified range is own gid
> but in this case, both are false.
>
> When specified '-m g:0:100000:1 -m g:100:5:1', lxc-usernsexec run the
> followed command:
> newgidmap [PID] 0 100000 1 100 5 1
>
> The first part (0 100000 1) is allowed, but the second part is
> false in verify_range function (in newgidmap.c in shadow), so it is
> disallowed:
>
> /* Allow a process to map it's own gid */
> if ((range->count == 1) && (pw->pw_gid == range->lower))
> return true;
> return false;
>
> What should we do? or do I something mistake?
Good point. So we'll have to cgroup the pty to our own gid before
we can do the userns chown. So
cgroup $(id -g) /dev/pts/3
lxc-usernsexec -m u:0:100000:1 -m u:$(id -u):1000:1 -m g:0:100000:1 -m g:$(id -g):1000:1 -- chown 0 /dev/pts/3
should do the trick. Until you hit the next roadblock :)
More information about the lxc-devel
mailing list