[lxc-devel] [lxd/master] Bugfixes

Mon Feb 27 21:51:41 UTC 2017

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170227/cd69b73a/attachment.bin>
-------------- next part --------------
From 22176fb5343c0fb9393937ab3004c94f2d30afc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 27 Feb 2017 15:59:52 -0500
Subject: [PATCH 1/5] Fix uint32 check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 shared/container.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/container.go b/shared/container.go
index 34363c4..038a7cb 100644
--- a/shared/container.go
+++ b/shared/container.go
@@ -34,7 +34,7 @@ func IsUint32(value string) error {
 		return nil
 	}
 
-	_, err := strconv.ParseInt(value, 10, 32)
+	_, err := strconv.ParseUint(value, 10, 32)
 	if err != nil {
 		return fmt.Errorf("Invalid value for uint32: %s: %v", value, err)
 	}

From 67bc302ee6838901dde79f0fa81962747d875af4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 27 Feb 2017 16:02:49 -0500
Subject: [PATCH 2/5] Don't parse id ranges as int32
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index d172e8a..09100b1 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -464,12 +464,12 @@ func idmapSize(daemon *Daemon, isolatedStr string, size string) (int64, error) {
 			idMapSize = daemon.IdmapSet.Idmap[0].Maprange
 		}
 	} else {
-		size, err := strconv.ParseInt(size, 10, 32)
+		size, err := strconv.ParseInt(size, 10, 64)
 		if err != nil {
 			return 0, err
 		}
 
-		idMapSize = int64(size)
+		idMapSize = size
 	}
 
 	return idMapSize, nil
@@ -621,7 +621,7 @@ func findIdmap(daemon *Daemon, cName string, isolatedStr string, configSize stri
 
 		cBase := int64(0)
 		if container.ExpandedConfig()["volatile.idmap.base"] != "" {
-			cBase, err = strconv.ParseInt(container.ExpandedConfig()["volatile.idmap.base"], 10, 32)
+			cBase, err = strconv.ParseInt(container.ExpandedConfig()["volatile.idmap.base"], 10, 64)
 			if err != nil {
 				return nil, 0, err
 			}

From 0fff6cd3504b19d5a02374af65b631e5d4a613ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 27 Feb 2017 16:04:19 -0500
Subject: [PATCH 3/5] Clarify uid/gid error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 09100b1..dd86bd8 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -676,7 +676,7 @@ func findIdmap(daemon *Daemon, cName string, isolatedStr string, configSize stri
 		return mkIdmap(offset, size), offset, nil
 	}
 
-	return nil, 0, fmt.Errorf("no map range available")
+	return nil, 0, fmt.Errorf("Not enough uid/gid available for the container.")
 }
 
 func (c *containerLXC) init() error {

From fc489d29d69af4e62e20dce6aff8714021ee56e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 27 Feb 2017 16:34:08 -0500
Subject: [PATCH 4/5] idmap: Make more of an effort to find a default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/daemon.go            | 36 ++++++++++++----------
 shared/idmapset_linux.go | 77 ++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 96 insertions(+), 17 deletions(-)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index 9c77fce..0c79406 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -798,7 +798,7 @@ func (d *Daemon) Init() error {
 	/* Read the uid/gid allocation */
 	d.IdmapSet, err = shared.DefaultIdmapSet()
 	if err != nil {
-		shared.LogWarn("Error reading default idmap", log.Ctx{"err": err.Error()})
+		shared.LogWarn("Error reading default uid/gid map", log.Ctx{"err": err.Error()})
 		shared.LogWarnf("Only privileged containers will be able to run")
 		d.IdmapSet = nil
 	} else {
@@ -810,24 +810,30 @@ func (d *Daemon) Init() error {
 			}
 		}
 
-		shared.LogInfof("Configured LXD uid/gid map:")
-		for _, lxcmap := range d.IdmapSet.Idmap {
-			suffix := ""
+		if len(d.IdmapSet.Idmap) == 0 {
+			shared.LogWarnf("No available uid/gid map could be found")
+			shared.LogWarnf("Only privileged containers will be able to run")
+			d.IdmapSet = nil
+		} else {
+			shared.LogInfof("Configured LXD uid/gid map:")
+			for _, lxcmap := range d.IdmapSet.Idmap {
+				suffix := ""
 
-			if lxcmap.Usable() != nil {
-				suffix = " (unusable)"
-			}
+				if lxcmap.Usable() != nil {
+					suffix = " (unusable)"
+				}
 
-			for _, lxcEntry := range lxcmap.ToLxcString() {
-				shared.LogInfof(" - %s%s", strings.TrimRight(lxcEntry, "\n"), suffix)
+				for _, lxcEntry := range lxcmap.ToLxcString() {
+					shared.LogInfof(" - %s%s", strings.TrimRight(lxcEntry, "\n"), suffix)
+				}
 			}
-		}
 
-		err = d.IdmapSet.Usable()
-		if err != nil {
-			shared.LogWarnf("One or more uid/gid map entry isn't usable (typically due to nesting)")
-			shared.LogWarnf("Only privileged containers will be able to run")
-			d.IdmapSet = nil
+			err = d.IdmapSet.Usable()
+			if err != nil {
+				shared.LogWarnf("One or more uid/gid map entry isn't usable (typically due to nesting)")
+				shared.LogWarnf("Only privileged containers will be able to run")
+				d.IdmapSet = nil
+			}
 		}
 	}
 
diff --git a/shared/idmapset_linux.go b/shared/idmapset_linux.go
index 9e39f27..d08970e 100644
--- a/shared/idmapset_linux.go
+++ b/shared/idmapset_linux.go
@@ -658,10 +658,83 @@ func DefaultIdmapSet() (*IdmapSet, error) {
 			// NOTE: Remove once LXD can deal with multiple shadow maps
 			break
 		}
-	} else {
-		// Fallback map
+
+		return idmapset, nil
+	}
+
+	// No shadow available, figure out a default map
+	kernelMap, err := CurrentIdmapSet()
+	if err != nil {
+		// Hardcoded fallback map
 		e := IdmapEntry{Isuid: true, Isgid: true, Nsid: 0, Hostid: 1000000, Maprange: 1000000000}
 		idmapset.Idmap = Extend(idmapset.Idmap, e)
+		return idmapset, nil
+	}
+
+	// Look for mapped ranges
+	kernelRanges, err := kernelMap.ValidRanges()
+	if err != nil {
+		return nil, err
+	}
+
+	// Find a suitable uid range
+	for _, entry := range kernelRanges {
+		// We only care about uids right now
+		if !entry.Isuid {
+			continue
+		}
+
+		// We want a map that's separate from the system's own POSIX allocation
+		if entry.Endid < 100000 {
+			continue
+		}
+
+		// Don't use the first 65536 ids
+		if entry.Startid < 100000 {
+			entry.Startid = 100000
+		}
+
+		// Check if we have enough ids
+		if entry.Endid-entry.Startid < 65536 {
+			continue
+		}
+
+		// Add the map
+		e := IdmapEntry{Isuid: true, Isgid: false, Nsid: 0, Hostid: entry.Startid, Maprange: entry.Endid - entry.Startid + 1}
+		idmapset.Idmap = Extend(idmapset.Idmap, e)
+
+		// NOTE: Remove once LXD can deal with multiple shadow maps
+		break
+	}
+
+	// Find a suitable gid range
+	for _, entry := range kernelRanges {
+		// We only care about gids right now
+		if !entry.Isgid {
+			continue
+		}
+
+		// We want a map that's separate from the system's own POSIX allocation
+		if entry.Endid < 100000 {
+			continue
+		}
+
+		// Don't use the first 65536 ids
+		if entry.Startid < 100000 {
+			entry.Startid = 100000
+		}
+
+		// Check if we have enough ids
+		if entry.Endid-entry.Startid < 65536 {
+			continue
+		}
+
+		// Add the map
+		e := IdmapEntry{Isuid: false, Isgid: true, Nsid: 0, Hostid: entry.Startid, Maprange: entry.Endid - entry.Startid + 1}
+		idmapset.Idmap = Extend(idmapset.Idmap, e)
+
+		// NOTE: Remove once LXD can deal with multiple shadow maps
+		break
 	}
 
 	return idmapset, nil

From faaa9dfd3ca5dbbe9121c1c417a329c128053245 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 27 Feb 2017 16:47:58 -0500
Subject: [PATCH 5/5] init: Only show userns message if lacking uid/gid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/main_init.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lxd/main_init.go b/lxd/main_init.go
index 7e55e4c..7dbe75c 100644
--- a/lxd/main_init.go
+++ b/lxd/main_init.go
@@ -276,7 +276,14 @@ func cmdInit() error {
 			}
 		}
 
-		if runningInUserns {
+		// Detect lack of uid/gid
+		needPrivileged := false
+		idmapset, err := shared.DefaultIdmapSet()
+		if err != nil || len(idmapset.Idmap) == 0 || idmapset.Usable() != nil {
+			needPrivileged = true
+		}
+
+		if runningInUserns && needPrivileged {
 			fmt.Printf(`
 We detected that you are running inside an unprivileged container.
 This means that unless you manually configured your host otherwise,
