[lxc-devel] Enabling unprivileged containers on Yocto built Linux

bogdan.purcareata at freescale.com bogdan.purcareata at freescale.com
Thu Oct 9 10:31:22 UTC 2014


Hello,

I am trying to enable unprivileged containers for a non-standard Linux built with Yocto. Some general configuration aspects:
Linux: 3.12
LXC: 1.0.6
shadow: 4.2.1

I'm trying to run a Busybox container, and the lxc-busybox template was fairly easy to make work with unpriv lxc-create (I'm planning to upstream the fix). There is also some issue with the devices cgroup, when moving a task from /sys/fs/cgroup/lxc-user/tasks to /sys/fs/cgroup/lxc-user/<container>/tasks, but I haven't dug too much into that one either (I'm assuming it's related to some missing kernel patches, as it's mentioned at [1], Linux 3.13 is required with some additional patches).

My main issue is when trying to pivot_root the rootfs to /usr/lib/lxc/rootfs:

host:~$ lxc-start -n foo
lxc-start: Permission denied - failed to create directory '/usr/lib/lxc/rootfs/lxc_putold'
lxc-start: Permission denied - failed to create pivotdir '/usr/lib/lxc/rootfs/lxc_putold'

I noticed I can bypass this issue if I give full permissions to the rootfs directory in .local/share/lxc (and the container starts fine):

root at host:~# chmod 777 /home/lxc-user/.local/share/lxc/foo/rootfs/

However I'm not sure this is the right fix, security-wise.

I've also played around with lxc-unshare -s USER bash, and noticed that, in the new user namespace, /usr/lib/lxc/rootfs is owned by nobody:nogroup. I can create files as needed in the directory, as long as my user is not yet mapped in the new user namespace. Once the mapping has been done (from the parent namespace), and I appear as root in the new userns (instead of nobody) I can no longer touch that directory.

I haven't read the full log of the lxc-devel list, this issue has probably been discussed and fixed some time ago (grepping and googling doesn't do me much good, I guess I can't state the issue properly). Before I eventually do, I was wondering if you have some hints as to how I might solve this or where to look at (the kernel side? somewhere else? some specific conversation on this list?). I also noticed that lxc-download will create the rootfs dir with normal permissions (755), so I'm guessing this is handled somewhere else, and not by giving full access to that dir.

[1] https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/

Thank you!
Bogdan P.



More information about the lxc-devel mailing list