[lxc-devel] [bisect] user lxc work with kernel 3.14.18 but fail with 3.14.19

vivo75 at gmail.com vivo75 at gmail.com
Tue Sep 23 14:27:53 UTC 2014


I'm running 1.0.5, I'll test git or 1.0.6 if it come out before I can test a git version.



Il 23/09/2014 16:14, Stéphane Graber ha scritto:
> That very much looks like the security fix commits we've got a while
> back and for which we already have workarounds in git.
>
> Would be great if you could try running the current stable-1.0 branch
> and see if that fixes it for you.
>
>
> On Tue, Sep 23, 2014 at 02:15:08PM +0200, vivo75 at gmail.com wrote:
>> last long term 3.14.9 has a change that make user lxc fail to start, it
>> seem the permission problem has been already encountered and fixed
>> before, in lxc userspace, not in kernel.
>>
>> =======================
>>
>> lxc-start --version
>> 1.0.5
>>
>> =======================
>>
>> git bisect good | tee -a ${HOME}/bisect.log
>>
>>
>> 9810174c0384f725a31be1dfc64a881695ad465d is the first bad commit
>> commit 9810174c0384f725a31be1dfc64a881695ad465d
>> Author: Eric W. Biederman <ebiederm at xmission.com>
>> Date:   Mon Jul 28 17:10:56 2014 -0700
>>
>>     mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags
>> into do_remount
>>
>>     commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.
>>
>>     There are no races as locked mount flags are guaranteed to never change.
>>
>>     Moving the test into do_remount makes it more visible, and ensures all
>>     filesystem remounts pass the MNT_LOCK_READONLY permission check.  This
>>     second case is not an issue today as filesystem remounts are guarded
>>     by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
>>     mount namespaces, but it could become an issue in the future.
>>
>>     Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
>>     Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
>>     Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>>
>> :040000 040000 fdeae1bccd4d8935fe5ff820bb2a08ae9a19c15e
>> b2a326f9db8e6e34be00b7ad53f0dc8b203b9e93 M      fs
>>
>> =======================
>>
>> log of the fail start follow
>>
>> I lxc_start_ui - using rcfile
>> /srv/lxc/lxc_user/.local/share/lxc/apache2/config
>> I lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65536
>> I lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65536
>> W lxc_log - lxc_log_init called with log already initialized
>> D lxc_conf - allocated pty '/dev/pts/10' (5/6)
>> I lxc_conf - tty's configured
>> D lxc_start - sigchild handler set
>> D lxc_console - opening /dev/tty for console peer
>> I lxc_caps - Last supported cap was 34
>> D lxc_console - using '/dev/tty' as console
>> D lxc_console - 5072 got SIGWINCH fd 11
>> D lxc_console - set winsz dstfd:8 cols:80 rows:24
>> I lxc_start - 'apache2' is initialized
>> D lxc_start - Not dropping cap_sys_boot or watching utmp
>> I lxc_start - Cloning a new user namespace
>> I lxc_cgroup - cgroup driver cgroupfs initing for apache2
>> N lxc_start - switching to gid/uid 0 in new user namespace
>> D lxc_conf - mounted '/srv/lxc/lxc_user/.local/share/lxc/apache2/rootfs'
>> on '/usr/lib/lxc/rootfs'
>> I lxc_conf - 'apache2' hostname has been setup
>> D lxc_conf - 'eth0' has been setup
>> I lxc_conf - network has been setup
>> I lxc_conf - Mounting /dev under /usr/lib/lxc/rootfs
>> D lxc_conf - entering mount_check_fs for /dev
>> D lxc_conf - mount_check_fs returning 1 last devtmpfs
>> D lxc_conf - Bind mounting /dev/.lxc/apache2.f4369c12c7bf962c to
>> /usr/lib/lxc/rootfs/dev
>> I lxc_conf - Mounted /dev under /usr/lib/lxc/rootfs
>> D lxc_conf - remounting /dev/console on /usr/lib/lxc/rootfs/dev/console
>> to respect bind or remount options
>> E lxc_conf - Operation not permitted - failed to mount '/dev/console' on
>> '/usr/lib/lxc/rootfs/dev/console'
>> E lxc_conf - failed to setup the mount entries for 'apache2'
>> E lxc_start - failed to setup the container
>> E lxc_sync - invalid sequence number 1. expected 2
>> E lxc_start - failed to spawn 'apache2'
>> E lxc_start_ui - The container failed to start.
>> E lxc_start_ui - Additional information can be obtained by setting the
>> --logfile and --log-priority options.
>>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140923/bb30ac0a/attachment-0001.html>


More information about the lxc-devel mailing list