[lxc-devel] mounting mqueue in a user namespace

Thomas Tanaka thomas.tanaka at oracle.com
Fri Mar 11 23:13:56 UTC 2016 

On 3/11/2016 3:07 PM, Serge Hallyn wrote:
> Quoting Thomas Tanaka (thomas.tanaka at oracle.com):
>> On 3/10/2016 4:18 PM, Serge Hallyn wrote:
>>> Quoting Thomas Tanaka (thomas.tanaka at oracle.com):
>>>> Hi,
>>>>
>>>> This question might not be specific to lxc/lxd but containers in
>>>> general, I hope that is okay.
>>>> I have a process created using clone with the following flags
>>>> (CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUSER).
>>>> The process then try to mount the mqueue filesystem (mount -t mqueue
>>>> mqueue /dev/mqueue).
>>>> However, the mounted mqueue fs has inode->i_uid = 0, instead of our
>>>> ns uid e.g 10000. Is this expected ?
>>>> For other e.g tmpfs the inode->i_uid is properly set to our ns uid.
>>> Doesn't happen for me.  As simplest example, if I
>>>
>>> lxc-usernsexec
>>> # lxc-unshare -s 'IPC|MOUNT' bash
>>> ## mount -t mqueue mqueue /mnt
>>> ## touch /mnt; ls -ld /mnt; ls -l /mnt
>>>
>>> I see everything owned by my namespaced root user, 'root' in my shell.
>> Right, maybe my understanding is not correct.
>> So maybe the question should be phrased in such a way, why does a
>> newly clone() process with CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER
>> does not seem to perfom switch_task_namespaces() ?
>> The observation here is, yes inside of the userns it is owned by
>> root, but outside of it, i.e in the 'global' ns shouldn't it be
> How are you viewing it from the outside?  You'll need to go
> through /proc/pid/root/dev/mqueue, else you're look at the
> host's mqueue mount right?
Yeah, so I instrumented the kernel (~4.1.12) to print the value of 
inode->i_uid, at mqueue_fill_super() (ipc/mqueue.c),
so with every mount i could see the value of inode->i_uid from the log.

Thanks.
>
>> owned by the 'mapped id' e.g 10000, instead of 0 ?
>> Instead, for the mqueue fs, we need to do a unshare(CLONE_NEWIPC)
>> prior to mounting mqueue, so that the 'global' ns inode->i_uid will
>> be correctly set to the 'mapped id'.
>>
>> Thank you for taking time to answer, really appreciate it!
>>
>>> _______________________________________________
>>> lxc-devel mailing list
>>> lxc-devel at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-devel
>> -- 
>> Regards,
>>
>> Thomas
>>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Regards,

Thomas

More information about the lxc-devel mailing list