[lxc-devel] [lxd/master] Bugfixes

Thu Oct 6 11:07:41 UTC 2016

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161006/8065db8a/attachment.bin>
-------------- next part --------------
From 6ddb4091643224b5c1d1885ea370f9806226a376 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 6 Oct 2016 12:13:53 +0200
Subject: [PATCH 1/2] Be more verbose on mkdir failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/nsexec.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/nsexec.go b/lxd/nsexec.go
index cf6d98f..b03e59a 100644
--- a/lxd/nsexec.go
+++ b/lxd/nsexec.go
@@ -69,7 +69,7 @@ int mkdir_p(const char *dir, mode_t mode)
 		makeme = strndup(orig, dir - orig);
 		if (*makeme) {
 			if (mkdir(makeme, mode) && errno != EEXIST) {
-				fprintf(stderr, "failed to create directory '%s'", makeme);
+				fprintf(stderr, "failed to create directory '%s': %s\n", makeme, strerror(errno));
 				free(makeme);
 				return -1;
 			}

From 6ff0b5f3b73e0431785e2da1cf0913d6e3e5fd8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 6 Oct 2016 13:06:04 +0200
Subject: [PATCH 2/2] Fix forkmount to work with 4.8 and higher
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A new restriction was placed in the 4.8 kernel that mkdir will return
EOVERFLOW if the resulting uid/gid is outside of the container's map.

This is a problem for us as we only attach to the mount namespace.

So to fix that, we must detect that the kernel supports userns and that
the container is in a userns, then attach.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/nsexec.go | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/lxd/nsexec.go b/lxd/nsexec.go
index b03e59a..106e720 100644
--- a/lxd/nsexec.go
+++ b/lxd/nsexec.go
@@ -368,9 +368,43 @@ void create(char *src, char *dest) {
 void forkmount(char *buf, char *cur, ssize_t size) {
 	char *src, *dest, *opts;
 
+	char nspath[PATH_MAX];
+	char userns_source[PATH_MAX];
+	char userns_target[PATH_MAX];
+
 	ADVANCE_ARG_REQUIRED();
 	int pid = atoi(cur);
 
+	sprintf(nspath, "/proc/%d/ns/user", pid);
+	if (access(nspath, F_OK) == 0) {
+		if (readlink("/proc/self/ns/user", userns_source, 18) < 0) {
+			fprintf(stderr, "Failed readlink of source namespace: %s\n", strerror(errno));
+			_exit(1);
+		}
+
+		if (readlink(nspath, userns_target, PATH_MAX) < 0) {
+			fprintf(stderr, "Failed readlink of target namespace: %s\n", strerror(errno));
+			_exit(1);
+		}
+
+		if (strncmp(userns_source, userns_target, PATH_MAX) != 0) {
+			if (dosetns(pid, "user") < 0) {
+				fprintf(stderr, "Failed setns to container user namespace: %s\n", strerror(errno));
+				_exit(1);
+			}
+
+			if (setuid(0) < 0) {
+				fprintf(stderr, "Failed setuid to container root user: %s\n", strerror(errno));
+				_exit(1);
+			}
+
+			if (setgid(0) < 0) {
+				fprintf(stderr, "Failed setgid to container root group: %s\n", strerror(errno));
+				_exit(1);
+			}
+		}
+	}
+
 	if (dosetns(pid, "mnt") < 0) {
 		fprintf(stderr, "Failed setns to container mount namespace: %s\n", strerror(errno));
 		_exit(1);
