[lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jun 23 20:48:26 UTC 2014


Quoting KATOH Yasufumi (karma at jazz.email.ne.jp):
> >>> On Fri, 20 Jun 2014 18:33:40 +0000
>     in message   "Re: [lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1"
>                   Serge Hallyn-san wrote:
> 
> > > The owning group of /dev/pts/* is 'tty' group. Isn't it related?
> 
> > Oh, yeah, then you'll need to make it
> 
> > lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:100:5:1 -- chown 0 /dev/pts/3
> 
> I tried this:
>   $ lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:100:5:1 -- chown 0 /dev/pts/1
>   newgidmap: gid range [100-101) -> [5-6) not allowed
>   setgid: Invalid argument
> 
> 'newgidmap' is only success when 
>   * specified range is allowed to the user in the /etc/subgid file
> or
>   * specified range is own gid
> but in this case, both are false.
> 
> When specified '-m g:0:100000:1 -m g:100:5:1', lxc-usernsexec run the
> followed command:
>   newgidmap [PID] 0 100000 1 100 5 1
> 
> The first part (0 100000 1) is allowed, but the second part is
> false in verify_range function (in newgidmap.c in shadow), so it is
> disallowed:
> 
>   /* Allow a process to map it's own gid */
>   if ((range->count == 1) && (pw->pw_gid == range->lower))
>           return true;
>   return false;
> 
> What should we do? or do I something mistake?

Good point.  So we'll have to cgroup the pty to our own gid before
we can do the userns chown.  So

	cgroup $(id -g) /dev/pts/3
	lxc-usernsexec -m u:0:100000:1 -m u:$(id -u):1000:1 -m g:0:100000:1 -m g:$(id -g):1000:1 -- chown 0 /dev/pts/3

should do the trick.  Until you hit the next roadblock :)


More information about the lxc-devel mailing list