[Lxc-users] RH and clones 6.2, LXC, SElinux and multiple DEVPTS instances
Mauras Olivier
oliver.mauras at gmail.com
Tue Mar 6 13:04:29 UTC 2012
On Tue, Mar 6, 2012 at 1:19 PM, Mauras Olivier <oliver.mauras at gmail.com>wrote:
>
>
> On Tue, Mar 6, 2012 at 12:13 PM, Ramez Hanna <rhanna at informatiq.org>wrote:
>
>> On Tue, Mar 6, 2012 at 1:07 PM, Mauras Olivier <oliver.mauras at gmail.com>
>> wrote:
>> >
>> >
>> > On Tue, Mar 6, 2012 at 11:12 AM, Ramez Hanna <rhanna at informatiq.org>
>> wrote:
>> >>
>> >> On Tue, Mar 6, 2012 at 12:06 PM, Iliyan Stoyanov <ilf at ilf.me> wrote:
>> >> > Hi Mauras,
>> >> >
>> >> > Do you by any chance have an fstab file in your container's /etc
>> >> > directory
>> >> > that is trying to mount devpts fs also. I had this issue a week ago
>> with
>> >> > some of my SL6.2 containers on a fedora 16 host. After removing
>> >> > everything
>> >> > /dev/pts related from the fstab in the /etc directory of the
>> containers,
>> >> > everything magically worked.
>> >> >
>> >> > BR,
>> >> > --ilf
>> >> >
>> >> >
>> >> > On Tue, 2012-03-06 at 10:54 +0100, Mauras Olivier wrote:
>> >> >
>> >> > Hello,
>> >> >
>> >> > I've finally successfully migrated my SMACK setup over SElinux to
>> >> > isolate my
>> >> > containers - Thanks to the folks on #selinux at freenode - on a
>> Scientific
>> >> > Linux 6.2 host. (I may share my policy with some details if some of
>> you
>> >> > are
>> >> > interested)
>> >> > So far so good, after loads of hits and misses almost everything
>> works
>> >> > correctly.
>> >> >
>> >> > The only thing that is not, is the multiple devpts instances. It
>> seems
>> >> > that
>> >> > when specifying "lxc.pts" option in the container config, ssh stops
>> >> > working
>> >> > while /dev/pts is correctly mounted _but_ is still showing pts
>> devices
>> >> > from
>> >> > the host.
>> >> > There's no specific selinux avc denials, and ssh rejects the shell
>> >> > connection with that kind of errors found when /dev/pts is not
>> correctly
>> >> > mounted:
>> >> >
>> >> > sshd[552]: error: ssh_selinux_setup_pty: security_compute_relabel: No
>> >> > such
>> >> > file or directory
>> >> > sshd[556]: error: ioctl(TIOCSCTTY): Operation not permitted
>> >> > sshd[556]: error: open /dev/tty failed - could not set controlling
>> tty:
>> >> > No
>> >> > such device or address
>> >> >
>> >> > As you may guess /dev/tty is present and /dev/pts is correclty
>> mounted
>> >> > as i
>> >> > can do: ssh root at container "ls -la /dev/pts"
>> >> > Only assigning the pts device for the shell doesn't...
>> >> >
>> >> >
>> >> > Have any of you also hit this problem? Did you find a solution?
>> >> >
>> >> >
>> >> > Regards,
>> >> > Olivier
>> >> >
>> >> >
>> >> > Ps: Using lxc 0.7.5
>> >> >
>> >> >
>> >> >
>> ------------------------------------------------------------------------------
>> >> > Keep Your Developer Skills Current with LearnDevNow!
>> >> > The most comprehensive online learning library for Microsoft
>> developers
>> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
>> MVC3,
>> >> > Metro Style Apps, more. Free future releases when you subscribe now!
>> >> > http://p.sf.net/sfu/learndevnow-d2d
>> >> > _______________________________________________ Lxc-users mailing
>> list
>> >> > Lxc-users at lists.sourceforge.net
>> >> > https://lists.sourceforge.net/lists/listinfo/lxc-users
>> >> >
>> >> >
>> >> >
>> >> >
>> ------------------------------------------------------------------------------
>> >> > Keep Your Developer Skills Current with LearnDevNow!
>> >> > The most comprehensive online learning library for Microsoft
>> developers
>> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
>> MVC3,
>> >> > Metro Style Apps, more. Free future releases when you subscribe now!
>> >> > http://p.sf.net/sfu/learndevnow-d2d
>> >> > _______________________________________________
>> >> > Lxc-users mailing list
>> >> > Lxc-users at lists.sourceforge.net
>> >> > https://lists.sourceforge.net/lists/listinfo/lxc-users
>> >> >
>> >>
>> >> see my patch regarding f16 and my lxc-start-fedora script should give
>> >> you an idea
>> >>
>> >> --
>> >> BR
>> >> RH
>> >> http://informatiq.org
>> >
>> >
>> > Hi,
>> >
>> > Thanks for your reply, i actually looked at your patch, but i don't
>> think
>> > it's relevant to my problem as i don't start any getty in the container
>> at
>> > all. Now i may be missing something, if so please enlighten me.
>> >
>> >
>> > Regards,
>> > Olivier
>>
>> in f16 systemd mounts /ev to devtmpfs no matter what you specify in your
>> fstab
>> the only case where it won't do that is when you have /dev already
>> mounted on a separate block device (that's what my script does to
>> avoid mounting /dev by systemd)
>> if systemd mounts /dev then it has access to your host's devices
>> and is sharing the ttys
>> so for example if running lxc-start -n f16 it will not get you shell
>> or any output from the container because the container is trying to
>> access tty0 which is already in use by the host
>> if you use the -d option then you don't get any access inside the
>> container because lxc-console won't work
>> again because getty will not start on tty1 or any other tty
>> i am not sure if you can start the container or no
>> could be sefull if you post full log of your lxc-start
>>
>>
>>
>> --
>> BR
>> RH
>> http://informatiq.org
>>
>
> Ok i get it now. This is what you do here:
>
> mount none /tmp/lxc/$name -t tmpfs
> rsync -a /var/lib/lxc/$name/rootfs/dev/ /tmp/lxc/$name
> mount /tmp/lxc/$name f16/rootfs/dev/ -obind
> lxc-start $* -n $name
>
> Thing is i don't think i would change anything for my case as it's upstart
> used and it actually works like a charm on a non enforced selinux system or
> on a smack isolated container...
> I really feel like selinux is at fault here but can't find why ...
>
>
> BTW shouldn't hurt to try that even if that means to modify my selinux
> policy.
>
>
> Olivier
>
Ok apparently i had the host devpts mounted with newinstances - meh didn't
remember setting that ... - and it may definitely be the culprit as
removing it and rebooting did actually solve the problem!
Now my container is isolated by selinux without sharing the devpts.
[root at curse ~]# ll -Z
/dev/pts/
crw--w----. root tty unconfined_u:object_r:curse_file_t:s0
0
crw-rw-rw-. root root unconfined_u:object_r:initrc_devpts_t:s0 ptmx
Sounds good to me sorry for the bother :)
Olivier
Ps: Now i can take some time to share my selinux policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120306/e0ede08b/attachment.html>
More information about the lxc-users
mailing list