[Lxc-users] RH and clones 6.2, LXC, SElinux and multiple DEVPTS instances
Mauras Olivier
oliver.mauras at gmail.com
Tue Mar 6 12:19:52 UTC 2012
On Tue, Mar 6, 2012 at 12:13 PM, Ramez Hanna <rhanna at informatiq.org> wrote:
> On Tue, Mar 6, 2012 at 1:07 PM, Mauras Olivier <oliver.mauras at gmail.com>
> wrote:
> >
> >
> > On Tue, Mar 6, 2012 at 11:12 AM, Ramez Hanna <rhanna at informatiq.org>
> wrote:
> >>
> >> On Tue, Mar 6, 2012 at 12:06 PM, Iliyan Stoyanov <ilf at ilf.me> wrote:
> >> > Hi Mauras,
> >> >
> >> > Do you by any chance have an fstab file in your container's /etc
> >> > directory
> >> > that is trying to mount devpts fs also. I had this issue a week ago
> with
> >> > some of my SL6.2 containers on a fedora 16 host. After removing
> >> > everything
> >> > /dev/pts related from the fstab in the /etc directory of the
> containers,
> >> > everything magically worked.
> >> >
> >> > BR,
> >> > --ilf
> >> >
> >> >
> >> > On Tue, 2012-03-06 at 10:54 +0100, Mauras Olivier wrote:
> >> >
> >> > Hello,
> >> >
> >> > I've finally successfully migrated my SMACK setup over SElinux to
> >> > isolate my
> >> > containers - Thanks to the folks on #selinux at freenode - on a
> Scientific
> >> > Linux 6.2 host. (I may share my policy with some details if some of
> you
> >> > are
> >> > interested)
> >> > So far so good, after loads of hits and misses almost everything works
> >> > correctly.
> >> >
> >> > The only thing that is not, is the multiple devpts instances. It seems
> >> > that
> >> > when specifying "lxc.pts" option in the container config, ssh stops
> >> > working
> >> > while /dev/pts is correctly mounted _but_ is still showing pts devices
> >> > from
> >> > the host.
> >> > There's no specific selinux avc denials, and ssh rejects the shell
> >> > connection with that kind of errors found when /dev/pts is not
> correctly
> >> > mounted:
> >> >
> >> > sshd[552]: error: ssh_selinux_setup_pty: security_compute_relabel: No
> >> > such
> >> > file or directory
> >> > sshd[556]: error: ioctl(TIOCSCTTY): Operation not permitted
> >> > sshd[556]: error: open /dev/tty failed - could not set controlling
> tty:
> >> > No
> >> > such device or address
> >> >
> >> > As you may guess /dev/tty is present and /dev/pts is correclty mounted
> >> > as i
> >> > can do: ssh root at container "ls -la /dev/pts"
> >> > Only assigning the pts device for the shell doesn't...
> >> >
> >> >
> >> > Have any of you also hit this problem? Did you find a solution?
> >> >
> >> >
> >> > Regards,
> >> > Olivier
> >> >
> >> >
> >> > Ps: Using lxc 0.7.5
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Keep Your Developer Skills Current with LearnDevNow!
> >> > The most comprehensive online learning library for Microsoft
> developers
> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
> MVC3,
> >> > Metro Style Apps, more. Free future releases when you subscribe now!
> >> > http://p.sf.net/sfu/learndevnow-d2d
> >> > _______________________________________________ Lxc-users mailing list
> >> > Lxc-users at lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/lxc-users
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Keep Your Developer Skills Current with LearnDevNow!
> >> > The most comprehensive online learning library for Microsoft
> developers
> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
> MVC3,
> >> > Metro Style Apps, more. Free future releases when you subscribe now!
> >> > http://p.sf.net/sfu/learndevnow-d2d
> >> > _______________________________________________
> >> > Lxc-users mailing list
> >> > Lxc-users at lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/lxc-users
> >> >
> >>
> >> see my patch regarding f16 and my lxc-start-fedora script should give
> >> you an idea
> >>
> >> --
> >> BR
> >> RH
> >> http://informatiq.org
> >
> >
> > Hi,
> >
> > Thanks for your reply, i actually looked at your patch, but i don't think
> > it's relevant to my problem as i don't start any getty in the container
> at
> > all. Now i may be missing something, if so please enlighten me.
> >
> >
> > Regards,
> > Olivier
>
> in f16 systemd mounts /ev to devtmpfs no matter what you specify in your
> fstab
> the only case where it won't do that is when you have /dev already
> mounted on a separate block device (that's what my script does to
> avoid mounting /dev by systemd)
> if systemd mounts /dev then it has access to your host's devices
> and is sharing the ttys
> so for example if running lxc-start -n f16 it will not get you shell
> or any output from the container because the container is trying to
> access tty0 which is already in use by the host
> if you use the -d option then you don't get any access inside the
> container because lxc-console won't work
> again because getty will not start on tty1 or any other tty
> i am not sure if you can start the container or no
> could be sefull if you post full log of your lxc-start
>
>
>
> --
> BR
> RH
> http://informatiq.org
>
Ok i get it now. This is what you do here:
mount none /tmp/lxc/$name -t tmpfs
rsync -a /var/lib/lxc/$name/rootfs/dev/ /tmp/lxc/$name
mount /tmp/lxc/$name f16/rootfs/dev/ -obind
lxc-start $* -n $name
Thing is i don't think i would change anything for my case as it's upstart
used and it actually works like a charm on a non enforced selinux system or
on a smack isolated container...
I really feel like selinux is at fault here but can't find why ...
BTW shouldn't hurt to try that even if that means to modify my selinux
policy.
Olivier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120306/95d638da/attachment.html>
More information about the lxc-users
mailing list