[lxc-devel] mounting mqueue in a user namespace

Serge Hallyn serge.hallyn at ubuntu.com
Fri Mar 11 23:07:36 UTC 2016 

Quoting Thomas Tanaka (thomas.tanaka at oracle.com):
> 
> On 3/10/2016 4:18 PM, Serge Hallyn wrote:
> >Quoting Thomas Tanaka (thomas.tanaka at oracle.com):
> >>Hi,
> >>
> >>This question might not be specific to lxc/lxd but containers in
> >>general, I hope that is okay.
> >>I have a process created using clone with the following flags
> >>(CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUSER).
> >>The process then try to mount the mqueue filesystem (mount -t mqueue
> >>mqueue /dev/mqueue).
> >>However, the mounted mqueue fs has inode->i_uid = 0, instead of our
> >>ns uid e.g 10000. Is this expected ?
> >>For other e.g tmpfs the inode->i_uid is properly set to our ns uid.
> >Doesn't happen for me.  As simplest example, if I
> >
> >lxc-usernsexec
> ># lxc-unshare -s 'IPC|MOUNT' bash
> >## mount -t mqueue mqueue /mnt
> >## touch /mnt; ls -ld /mnt; ls -l /mnt
> >
> >I see everything owned by my namespaced root user, 'root' in my shell.
> Right, maybe my understanding is not correct.
> So maybe the question should be phrased in such a way, why does a
> newly clone() process with CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER
> does not seem to perfom switch_task_namespaces() ?
> The observation here is, yes inside of the userns it is owned by
> root, but outside of it, i.e in the 'global' ns shouldn't it be

How are you viewing it from the outside?  You'll need to go
through /proc/pid/root/dev/mqueue, else you're look at the
host's mqueue mount right?

> owned by the 'mapped id' e.g 10000, instead of 0 ?
> Instead, for the mqueue fs, we need to do a unshare(CLONE_NEWIPC)
> prior to mounting mqueue, so that the 'global' ns inode->i_uid will
> be correctly set to the 'mapped id'.
> 
> Thank you for taking time to answer, really appreciate it!
> 
> >_______________________________________________
> >lxc-devel mailing list
> >lxc-devel at lists.linuxcontainers.org
> >http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> -- 
> Regards,
> 
> Thomas
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list