[lxc-devel] [bisect] user lxc work with kernel 3.14.18 but fail with 3.14.19

Stéphane Graber stgraber at ubuntu.com
Tue Sep 23 14:14:25 UTC 2014


That very much looks like the security fix commits we've got a while
back and for which we already have workarounds in git.

Would be great if you could try running the current stable-1.0 branch
and see if that fixes it for you.


On Tue, Sep 23, 2014 at 02:15:08PM +0200, vivo75 at gmail.com wrote:
> 
> last long term 3.14.9 has a change that make user lxc fail to start, it
> seem the permission problem has been already encountered and fixed
> before, in lxc userspace, not in kernel.
> 
> =======================
> 
> lxc-start --version
> 1.0.5
> 
> =======================
> 
> git bisect good | tee -a ${HOME}/bisect.log
> 
> 
> 9810174c0384f725a31be1dfc64a881695ad465d is the first bad commit
> commit 9810174c0384f725a31be1dfc64a881695ad465d
> Author: Eric W. Biederman <ebiederm at xmission.com>
> Date:   Mon Jul 28 17:10:56 2014 -0700
> 
>     mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags
> into do_remount
> 
>     commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.
> 
>     There are no races as locked mount flags are guaranteed to never change.
> 
>     Moving the test into do_remount makes it more visible, and ensures all
>     filesystem remounts pass the MNT_LOCK_READONLY permission check.  This
>     second case is not an issue today as filesystem remounts are guarded
>     by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
>     mount namespaces, but it could become an issue in the future.
> 
>     Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
>     Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
>     Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> 
> :040000 040000 fdeae1bccd4d8935fe5ff820bb2a08ae9a19c15e
> b2a326f9db8e6e34be00b7ad53f0dc8b203b9e93 M      fs
> 
> =======================
> 
> log of the fail start follow
> 
> I lxc_start_ui - using rcfile
> /srv/lxc/lxc_user/.local/share/lxc/apache2/config
> I lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65536
> I lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65536
> W lxc_log - lxc_log_init called with log already initialized
> D lxc_conf - allocated pty '/dev/pts/10' (5/6)
> I lxc_conf - tty's configured
> D lxc_start - sigchild handler set
> D lxc_console - opening /dev/tty for console peer
> I lxc_caps - Last supported cap was 34
> D lxc_console - using '/dev/tty' as console
> D lxc_console - 5072 got SIGWINCH fd 11
> D lxc_console - set winsz dstfd:8 cols:80 rows:24
> I lxc_start - 'apache2' is initialized
> D lxc_start - Not dropping cap_sys_boot or watching utmp
> I lxc_start - Cloning a new user namespace
> I lxc_cgroup - cgroup driver cgroupfs initing for apache2
> N lxc_start - switching to gid/uid 0 in new user namespace
> D lxc_conf - mounted '/srv/lxc/lxc_user/.local/share/lxc/apache2/rootfs'
> on '/usr/lib/lxc/rootfs'
> I lxc_conf - 'apache2' hostname has been setup
> D lxc_conf - 'eth0' has been setup
> I lxc_conf - network has been setup
> I lxc_conf - Mounting /dev under /usr/lib/lxc/rootfs
> D lxc_conf - entering mount_check_fs for /dev
> D lxc_conf - mount_check_fs returning 1 last devtmpfs
> D lxc_conf - Bind mounting /dev/.lxc/apache2.f4369c12c7bf962c to
> /usr/lib/lxc/rootfs/dev
> I lxc_conf - Mounted /dev under /usr/lib/lxc/rootfs
> D lxc_conf - remounting /dev/console on /usr/lib/lxc/rootfs/dev/console
> to respect bind or remount options
> E lxc_conf - Operation not permitted - failed to mount '/dev/console' on
> '/usr/lib/lxc/rootfs/dev/console'
> E lxc_conf - failed to setup the mount entries for 'apache2'
> E lxc_start - failed to setup the container
> E lxc_sync - invalid sequence number 1. expected 2
> E lxc_start - failed to spawn 'apache2'
> E lxc_start_ui - The container failed to start.
> E lxc_start_ui - Additional information can be obtained by setting the
> --logfile and --log-priority options.
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140923/8fbfa3b4/attachment.sig>


More information about the lxc-devel mailing list