[lxc-devel] please open lxc-cgroup for unprivileged monitoring

Serge E. Hallyn serge at hallyn.com
Sun Nov 27 05:11:54 UTC 2016 

On Tue, Nov 08, 2016 at 06:43:17AM +0100, Harald Dunkel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hi Serge,
> 
> On 10/21/16 16:56, Serge E. Hallyn wrote:
> > Quoting Harald Dunkel (harald.dunkel at aixigo.de):
> >> On 10/20/2016 03:39 PM, Serge E. Hallyn wrote:
> >>> On Wed, Oct 19, 2016 at 02:10:59PM +0200, Harald Dunkel wrote:
> >>>> 
> >>>> Following the api I am forced to use root permission or some hard-to-configure sudo constructs for monitoring. This is pretty painful.
> >>>> 
> >>>> Do you think this could be improved?
> >>> 
> >>> Not easily, because you won't be allowed to talk to the container control socket to ask it its cgroup.
> >> 
> >> I am not sure if I got this correctly, but don't you already need this string to talk with the container?
> > 
> > lxc-cgroup talks to the container to find out the cgroup it is running in.  There could for instance be several containers called 'c1' (in different lxcpaths), which could be running in cgroups c1, c1.0, and c1.1. And for each controller the cgroup name could be different.
> 
> Are there news about this?
> 
> Monitoring is highly important in my environment. I am desperate.

Hi,

sorry, I'm not able to work on a patch for this.  In theory you're right,
we could allow more access, and it may be a good thing.  If you have time,
or know of someone who has time, to work on this, I'm happy to discuss.

The first step would be to take the lxc_cmd_t and split it into read and
write operations (or some such split).

The next step might be to turn container->may_control(container) into
container->may_control(container, O_RDONLY | O_RDWR).  (For starters all
current callers could be turned into O_RDWR callers to make the change an
effective noop).

Then it should be trivial to allow read-only cgroup operations.  Which
raises a question - if I have read access to a container's control
socket, but not to its cgroup paths, do we allow read operations?

To make use of this, you would still need to allow read access to the
command socket.  lxc_abstract_unix_rcv_credential() would need to be
relaxed, so presumably you'd add a "lxc.allow_read_commands = 1000"
to allow uid 1000 to get read access?  Did you have another idea?

-serge

More information about the lxc-devel mailing list