[Lxc-users] RH and clones 6.2, LXC, SElinux and multiple DEVPTS instances

Ramez Hanna rhanna at informatiq.org
Tue Mar 6 11:13:24 UTC 2012 

On Tue, Mar 6, 2012 at 1:07 PM, Mauras Olivier <oliver.mauras at gmail.com> wrote:
>
>
> On Tue, Mar 6, 2012 at 11:12 AM, Ramez Hanna <rhanna at informatiq.org> wrote:
>>
>> On Tue, Mar 6, 2012 at 12:06 PM, Iliyan Stoyanov <ilf at ilf.me> wrote:
>> > Hi Mauras,
>> >
>> > Do you by any chance have an fstab file in your container's /etc
>> > directory
>> > that is trying to mount devpts fs also. I had this issue a week ago with
>> > some of my SL6.2 containers on a fedora 16 host. After removing
>> > everything
>> > /dev/pts related from the fstab in the /etc directory of the containers,
>> > everything magically worked.
>> >
>> > BR,
>> > --ilf
>> >
>> >
>> > On Tue, 2012-03-06 at 10:54 +0100, Mauras Olivier wrote:
>> >
>> > Hello,
>> >
>> > I've finally successfully migrated my SMACK setup over SElinux to
>> > isolate my
>> > containers - Thanks to the folks on #selinux at freenode - on a Scientific
>> > Linux 6.2 host. (I may share my policy with some details if some of you
>> > are
>> > interested)
>> > So far so good, after loads of hits and misses almost everything works
>> > correctly.
>> >
>> > The only thing that is not, is the multiple devpts instances. It seems
>> > that
>> > when specifying "lxc.pts" option in the container config, ssh stops
>> > working
>> > while /dev/pts is correctly mounted _but_ is still showing pts devices
>> > from
>> > the host.
>> > There's no specific selinux avc denials, and ssh rejects the shell
>> > connection with that kind of errors found when /dev/pts is not correctly
>> > mounted:
>> >
>> > sshd[552]: error: ssh_selinux_setup_pty: security_compute_relabel: No
>> > such
>> > file or directory
>> > sshd[556]: error: ioctl(TIOCSCTTY): Operation not permitted
>> > sshd[556]: error: open /dev/tty failed - could not set controlling tty:
>> > No
>> > such device or address
>> >
>> > As you may guess /dev/tty is present and /dev/pts is correclty mounted
>> > as i
>> > can do: ssh root at container "ls -la /dev/pts"
>> > Only assigning the pts device for the shell doesn't...
>> >
>> >
>> > Have any of you also hit this problem? Did you find a solution?
>> >
>> >
>> > Regards,
>> > Olivier
>> >
>> >
>> > Ps: Using lxc 0.7.5
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Keep Your Developer Skills Current with LearnDevNow!
>> > The most comprehensive online learning library for Microsoft developers
>> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> > Metro Style Apps, more. Free future releases when you subscribe now!
>> > http://p.sf.net/sfu/learndevnow-d2d
>> > _______________________________________________ Lxc-users mailing list
>> > Lxc-users at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/lxc-users
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Keep Your Developer Skills Current with LearnDevNow!
>> > The most comprehensive online learning library for Microsoft developers
>> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> > Metro Style Apps, more. Free future releases when you subscribe now!
>> > http://p.sf.net/sfu/learndevnow-d2d
>> > _______________________________________________
>> > Lxc-users mailing list
>> > Lxc-users at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/lxc-users
>> >
>>
>>  see my patch regarding f16 and my lxc-start-fedora script should give
>> you an idea
>>
>> --
>> BR
>> RH
>> http://informatiq.org
>
>
> Hi,
>
> Thanks for your reply, i actually looked at your patch, but i don't think
> it's relevant to my problem as i don't start any getty in the container at
> all. Now i may be missing something, if so please enlighten me.
>
>
> Regards,
> Olivier

in f16 systemd mounts /ev to devtmpfs no matter what you specify in your fstab
the only case where it won't do that is when you have /dev already
mounted on a separate block device (that's what my script does to
avoid mounting /dev by systemd)
if systemd mounts /dev then it has access to your host's devices
and is sharing the ttys
so for example if running lxc-start -n f16 it will not get you shell
or any output from the container because the container is trying to
access tty0 which is already in use by the host
if you use the -d option then you don't get any access inside the
container because lxc-console won't work
again because getty will not start on tty1 or any other tty
i am not sure if you can start the container or no
could be sefull if you post full log of your lxc-start



-- 
BR
RH
http://informatiq.org

More information about the lxc-users mailing list