[lxc-devel] [PATCH] Create lxcpath if it's missing
Serge Hallyn
serge.hallyn at ubuntu.com
Tue May 12 22:28:40 UTC 2015
Quoting S.Çağlar Onur (caglar at 10ur.org):
> Hey,
>
> On Tue, May 12, 2015 at 2:43 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> > On Tue, May 12, 2015 at 02:27:48PM -0400, S.Çağlar Onur wrote:
> >> Otherwise calling list_defined_containers just after installing LXC ends up with the following error
> >>
> >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or directory - opendir on lxcpath
> >>
> >> $ /home/caglar/go/src/gopkg.in/lxc/go-lxc.v2/examples/list
> >> 2015/05/12 14:23:08 Defined containers:
> >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or directory - opendir on lxcpath
> >> 2015/05/12 14:23:08
> >> 2015/05/12 14:23:08 Active containers:
> >> 2015/05/12 14:23:08
> >> 2015/05/12 14:23:08 Active and Defined containers:
> >> $
> >>
> >> Signed-off-by: S.Çağlar Onur <caglar at 10ur.org>
> >> ---
> >> src/lxc/lxccontainer.c | 5 +++++
> >> 1 file changed, 5 insertions(+)
> >>
> >> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> >> index 8999f44..e8bade3 100644
> >> --- a/src/lxc/lxccontainer.c
> >> +++ b/src/lxc/lxccontainer.c
> >> @@ -3965,6 +3965,11 @@ int list_defined_containers(const char *lxcpath, char ***names, struct lxc_conta
> >> if (!lxcpath)
> >> lxcpath = lxc_global_config_value("lxc.lxcpath");
> >>
> >> + if (mkdir_p(lxcpath, 0755) < 0) {
> >
> > I'm not yet sure that we really want to do the mkdir, but the dir
> > permission there is wrong, lxcpath should be 700.
> >
> > The reason for this is to avoid security issues where an unprivileged
> > user can traverse through lxcpath and find an old setuid binary with a
> > security issue they can use to gain root.
>
> Hmm I tried 700 first but failed and thought it needs to be 755 cause it tell me
>
> Permission denied - could not access /home/caglar/.local/share/lxc.
> Please grant it 'x' access, or add an ACL for the container root.
Yeah no, for unprivileged containers we leave lxcpath 755, and
make $lxcpath/$lxcname be 750, owned by the container root and
group-owned by owner.
> Do you see anything weird with the following setup?
>
> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat /home/caglar/.local/
> File: ‘/home/caglar/.local/’
> Size: 10 Blocks: 0 IO Block: 4096 directory
> Device: 28h/40d Inode: 283 Links: 1
> Access: (0755/drwxr-xr-x) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar)
> Access: 2015-05-12 14:51:28.458063615 -0400
> Modify: 2015-04-23 17:12:43.084709204 -0400
> Change: 2015-05-12 14:51:27.698078130 -0400
> Birth: -
>
> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat
> /home/caglar/.local/share/
> File: ‘/home/caglar/.local/share/’
> Size: 454 Blocks: 0 IO Block: 4096 directory
> Device: 28h/40d Inode: 284 Links: 1
> Access: (0755/drwxr-xr-x) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar)
> Access: 2015-05-12 14:50:33.931108423 -0400
> Modify: 2015-05-12 14:41:45.317654121 -0400
> Change: 2015-05-12 14:51:28.922054753 -0400
> Birth: -
>
> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat
> /home/caglar/.local/share/lxc/
> File: ‘/home/caglar/.local/share/lxc/’
> Size: 32 Blocks: 0 IO Block: 4096 directory
> Device: 28h/40d Inode: 4233 Links: 1
> Access: (0700/drwx------) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar)
> Access: 2015-05-12 14:51:07.050473182 -0400
> Modify: 2015-05-12 14:51:05.054511412 -0400
> Change: 2015-05-12 14:51:05.054511412 -0400
> Birth: -
>
> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ ./create
> 2015/05/12 14:52:08 Creating container...
>
> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ lxc-start -d -n
> rubik --logfile log --logpriority debug
> lxc-start: lxc_start.c: main: 344 The container failed to start.
> lxc-start: lxc_start.c: main: 346 To get more details, run the
> container in foreground mode.
> lxc-start: lxc_start.c: main: 348 Additional information can be
> obtained by setting the --logfile and --logpriority options.
>
> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ grep ERROR log
> lxc-start 1431456777.743 ERROR lxc_start -
> start.c:print_top_failing_dir:102 - Permission denied - could not
> access /home/caglar/.local/share/lxc. Please grant it 'x' access, or
> add an ACL for the container root.
> lxc-start 1431456777.743 ERROR lxc_sync -
> sync.c:__sync_wait:51 - invalid sequence number 1. expected 2
> lxc-start 1431456777.787 ERROR lxc_start -
> start.c:__lxc_start:1164 - failed to spawn 'rubik'
> lxc-start 1431456782.794 ERROR lxc_start_ui -
> lxc_start.c:main:344 - The container failed to start.
> lxc-start 1431456782.794 ERROR lxc_start_ui -
> lxc_start.c:main:346 - To get more details, run the container in
> foreground mode.
> lxc-start 1431456782.794 ERROR lxc_start_ui -
> lxc_start.c:main:348 - Additional information can be obtained by
> setting the --logfile and --logpriority options.
> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$
>
> >> + SYSERROR("failed to create lxcpath directory %s", lxcpath);
> >> + return -1;
> >> + }
> >> +
> >> dir = opendir(lxcpath);
> >> if (!dir) {
> >> SYSERROR("opendir on lxcpath");
> >> --
> >> 2.1.4
> >>
> >> _______________________________________________
> >> lxc-devel mailing list
> >> lxc-devel at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-devel
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> >
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> >
>
>
>
> --
> S.Çağlar Onur <caglar at 10ur.org>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list