[lxc-devel] [PATCH] Create lxcpath if it's missing

S.Çağlar Onur caglar at 10ur.org
Thu May 14 16:47:14 UTC 2015 

Hey Serge,

On Tue, May 12, 2015 at 6:28 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting S.Çağlar Onur (caglar at 10ur.org):
>> Hey,
>>
>> On Tue, May 12, 2015 at 2:43 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
>> > On Tue, May 12, 2015 at 02:27:48PM -0400, S.Çağlar Onur wrote:
>> >> Otherwise calling list_defined_containers just after installing LXC ends up with the following error
>> >>
>> >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or directory - opendir on lxcpath
>> >>
>> >> $ /home/caglar/go/src/gopkg.in/lxc/go-lxc.v2/examples/list
>> >> 2015/05/12 14:23:08 Defined containers:
>> >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or directory - opendir on lxcpath
>> >> 2015/05/12 14:23:08
>> >> 2015/05/12 14:23:08 Active containers:
>> >> 2015/05/12 14:23:08
>> >> 2015/05/12 14:23:08 Active and Defined containers:
>> >> $
>> >>
>> >> Signed-off-by: S.Çağlar Onur <caglar at 10ur.org>
>> >> ---
>> >>  src/lxc/lxccontainer.c | 5 +++++
>> >>  1 file changed, 5 insertions(+)
>> >>
>> >> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
>> >> index 8999f44..e8bade3 100644
>> >> --- a/src/lxc/lxccontainer.c
>> >> +++ b/src/lxc/lxccontainer.c
>> >> @@ -3965,6 +3965,11 @@ int list_defined_containers(const char *lxcpath, char ***names, struct lxc_conta
>> >>       if (!lxcpath)
>> >>               lxcpath = lxc_global_config_value("lxc.lxcpath");
>> >>
>> >> +     if (mkdir_p(lxcpath, 0755) < 0) {
>> >
>> > I'm not yet sure that we really want to do the mkdir, but the dir
>> > permission there is wrong, lxcpath should be 700.
>> >
>> > The reason for this is to avoid security issues where an unprivileged
>> > user can traverse through lxcpath and find an old setuid binary with a
>> > security issue they can use to gain root.
>>
>> Hmm I tried 700 first but failed and thought it needs to be 755 cause it tell me
>>
>> Permission denied - could not access /home/caglar/.local/share/lxc.
>> Please grant it 'x' access, or add an ACL for the container root.
>
> Yeah no, for unprivileged containers we leave lxcpath 755, and
> make $lxcpath/$lxcname be 750, owned by the container root and
> group-owned by owner.

OK, then unless I miss something else this patch is using the correct
mode, it's just whether we want mkdir or not?

>> Do you see anything weird with the following setup?
>>
>> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat /home/caglar/.local/
>>   File: ‘/home/caglar/.local/’
>>   Size: 10         Blocks: 0          IO Block: 4096   directory
>> Device: 28h/40d Inode: 283         Links: 1
>> Access: (0755/drwxr-xr-x)  Uid: ( 1000/  caglar)   Gid: ( 1000/  caglar)
>> Access: 2015-05-12 14:51:28.458063615 -0400
>> Modify: 2015-04-23 17:12:43.084709204 -0400
>> Change: 2015-05-12 14:51:27.698078130 -0400
>>  Birth: -
>>
>> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat
>> /home/caglar/.local/share/
>>   File: ‘/home/caglar/.local/share/’
>>   Size: 454       Blocks: 0          IO Block: 4096   directory
>> Device: 28h/40d Inode: 284         Links: 1
>> Access: (0755/drwxr-xr-x)  Uid: ( 1000/  caglar)   Gid: ( 1000/  caglar)
>> Access: 2015-05-12 14:50:33.931108423 -0400
>> Modify: 2015-05-12 14:41:45.317654121 -0400
>> Change: 2015-05-12 14:51:28.922054753 -0400
>>  Birth: -
>>
>> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat
>> /home/caglar/.local/share/lxc/
>>   File: ‘/home/caglar/.local/share/lxc/’
>>   Size: 32         Blocks: 0          IO Block: 4096   directory
>> Device: 28h/40d Inode: 4233        Links: 1
>> Access: (0700/drwx------)  Uid: ( 1000/  caglar)   Gid: ( 1000/  caglar)
>> Access: 2015-05-12 14:51:07.050473182 -0400
>> Modify: 2015-05-12 14:51:05.054511412 -0400
>> Change: 2015-05-12 14:51:05.054511412 -0400
>>  Birth: -
>>
>> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ ./create
>> 2015/05/12 14:52:08 Creating container...
>>
>> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ lxc-start -d -n
>> rubik --logfile log --logpriority debug
>> lxc-start: lxc_start.c: main: 344 The container failed to start.
>> lxc-start: lxc_start.c: main: 346 To get more details, run the
>> container in foreground mode.
>> lxc-start: lxc_start.c: main: 348 Additional information can be
>> obtained by setting the --logfile and --logpriority options.
>>
>> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ grep ERROR log
>>       lxc-start 1431456777.743 ERROR    lxc_start -
>> start.c:print_top_failing_dir:102 - Permission denied - could not
>> access /home/caglar/.local/share/lxc.  Please grant it 'x' access, or
>> add an ACL for the container root.
>>       lxc-start 1431456777.743 ERROR    lxc_sync -
>> sync.c:__sync_wait:51 - invalid sequence number 1. expected 2
>>       lxc-start 1431456777.787 ERROR    lxc_start -
>> start.c:__lxc_start:1164 - failed to spawn 'rubik'
>>       lxc-start 1431456782.794 ERROR    lxc_start_ui -
>> lxc_start.c:main:344 - The container failed to start.
>>       lxc-start 1431456782.794 ERROR    lxc_start_ui -
>> lxc_start.c:main:346 - To get more details, run the container in
>> foreground mode.
>>       lxc-start 1431456782.794 ERROR    lxc_start_ui -
>> lxc_start.c:main:348 - Additional information can be obtained by
>> setting the --logfile and --logpriority options.
>> caglar at pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$
>>
>> >> +             SYSERROR("failed to create lxcpath directory %s", lxcpath);
>> >> +             return -1;
>> >> +     }
>> >> +
>> >>       dir = opendir(lxcpath);
>> >>       if (!dir) {
>> >>               SYSERROR("opendir on lxcpath");
>> >> --
>> >> 2.1.4
>> >>
>> >> _______________________________________________
>> >> lxc-devel mailing list
>> >> lxc-devel at lists.linuxcontainers.org
>> >> http://lists.linuxcontainers.org/listinfo/lxc-devel
>> >
>> > --
>> > Stéphane Graber
>> > Ubuntu developer
>> > http://www.ubuntu.com
>> >
>> > _______________________________________________
>> > lxc-devel mailing list
>> > lxc-devel at lists.linuxcontainers.org
>> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>> >
>>
>>
>>
>> --
>> S.Çağlar Onur <caglar at 10ur.org>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel



-- 
S.Çağlar Onur <caglar at 10ur.org>

More information about the lxc-devel mailing list