[lxc-devel] mounting mqueue in a user namespace

Thomas Tanaka thomas.tanaka at oracle.com
Fri Mar 11 22:24:05 UTC 2016


On 3/10/2016 4:18 PM, Serge Hallyn wrote:
> Quoting Thomas Tanaka (thomas.tanaka at oracle.com):
>> Hi,
>>
>> This question might not be specific to lxc/lxd but containers in
>> general, I hope that is okay.
>> I have a process created using clone with the following flags
>> (CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUSER).
>> The process then try to mount the mqueue filesystem (mount -t mqueue
>> mqueue /dev/mqueue).
>> However, the mounted mqueue fs has inode->i_uid = 0, instead of our
>> ns uid e.g 10000. Is this expected ?
>> For other e.g tmpfs the inode->i_uid is properly set to our ns uid.
> Doesn't happen for me.  As simplest example, if I
>
> lxc-usernsexec
> # lxc-unshare -s 'IPC|MOUNT' bash
> ## mount -t mqueue mqueue /mnt
> ## touch /mnt; ls -ld /mnt; ls -l /mnt
>
> I see everything owned by my namespaced root user, 'root' in my shell.
Right, maybe my understanding is not correct.
So maybe the question should be phrased in such a way, why does a newly 
clone() process with CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER does not 
seem to perfom switch_task_namespaces() ?
The observation here is, yes inside of the userns it is owned by root, 
but outside of it, i.e in the 'global' ns shouldn't it be owned by the 
'mapped id' e.g 10000, instead of 0 ?
Instead, for the mqueue fs, we need to do a unshare(CLONE_NEWIPC) prior 
to mounting mqueue, so that the 'global' ns inode->i_uid will be 
correctly set to the 'mapped id'.

Thank you for taking time to answer, really appreciate it!

> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Regards,

Thomas



More information about the lxc-devel mailing list