[Lxc-users] connecting lxc-console is impossible after deny cgroup by default activated
Thierry
mysolo at cynetek.com
Tue Nov 6 18:18:47 UTC 2012
Le 05/11/2012 23:36, Serge Hallyn a écrit :
> Quoting Thierry (mysolo at cynetek.com):
>> Le 05/11/2012 22:25, Serge Hallyn a écrit :
>>> Quoting Thierry (mysolo at cynetek.com):
>>>> lxc-start 1352149909.205 DEBUG lxc_conf - trying to mount '/dev/vg1/debian-dev'->'/usr/lib/lxc/rootfs' with fstype '# /etc/filesystems'
>>>> lxc-start 1352149909.205 DEBUG lxc_conf - mount failed with error: No such device
>>> (And a bunch more) Does /dev/vg1/debian-dev exist on the host?
>>>
>>> -serge
>>>
>> yes. This device /dev/vg1/debian-dev is idem for config working and
>> config not working.
> Heh, sorry, I see :) Bogus fstype. I'm shuttling between too many things.
>
> Anyway I'm guessing the answer is in the kernel-hardened patches. Can you
> find anything in the audit logs?
Hello,
I'm testing with gentoo-sources kernel ( not patching with grsecurity)
and lxc-console not working.
tigra linux # zcat /proc/config.gz |grep -i 3.6.2
# Linux/x86_64 3.6.2-gentoo Kernel Configuration
tigra ~ # lxc-console -n debian-dev
Type <Ctrl+a q> to exit the console
Not prompt for logging.
>
> When you log in over ssh (when using devices.deny = a), what does
> 'ls -l /dev/tty?
root at debian-dev:~# ls -l /dev/tty*
crw-rw-rw- 1 root root 5, 0 Nov 1 16:41 /dev/tty
crw-rw-rw- 1 root root 4, 0 Nov 6 17:47 /dev/tty0
crw--w---- 1 root tty 3, 1 Nov 6 15:28 /dev/tty1
crw--w---- 1 root tty 3, 2 Nov 6 15:28 /dev/tty2
crw--w---- 1 root tty 3, 3 Nov 6 15:28 /dev/tty3
crw--w---- 1 root tty 3, 4 Nov 6 15:28 /dev/tty4
> /dev/console' show?
root at debian-dev:~# ls -l /dev/console
crw------- 1 root tty 3, 5 Nov 6 15:28 /dev/console
> What if you stop the getty on
> /dev/tty1 and (as root) try to read/write to it?
>
> -serge
>
getty is not executing on /dev/tty1 if cgroup.deny is activated.
simply read:
root at debian-dev:~# cat /dev/tty1
cat: /dev/tty1: Operation not permitted
simply write:
root at debian-dev:~# echo toto > /dev/tty1
-bash: /dev/tty1: Operation not permitted
and testing add allow all devices after starting by on host:
tigra ~ # echo "a *:* rwm" >
/sys/fs/cgroup/devices/lxc/debian-dev/devices.allow
and on guest:
root at debian-dev:~# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 17:45 ? 00:00:00 init [3]
root 214 1 0 17:45 ? 00:00:00 /usr/sbin/sshd
root 261 214 0 17:46 ? 00:00:00 sshd: root at pts/0
root 263 261 0 17:46 pts/0 00:00:00 -bash
root 507 263 0 18:16 pts/0 00:00:00 ps -ef
root at debian-dev:~# telinit q
root at debian-dev:~# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 17:45 ? 00:00:00 init [3]
root 214 1 0 17:45 ? 00:00:00 /usr/sbin/sshd
root 261 214 0 17:46 ? 00:00:00 sshd: root at pts/0
root 263 261 0 17:46 pts/0 00:00:00 -bash
root 509 1 0 18:16 ? 00:00:00 /sbin/getty 38400 console
root 510 1 0 18:16 tty1 00:00:00 /sbin/getty 38400 tty1 linux
root 511 1 0 18:16 tty2 00:00:00 /sbin/getty 38400 tty2 linux
root 512 1 0 18:16 tty3 00:00:00 /sbin/getty 38400 tty3 linux
root 513 1 0 18:16 tty4 00:00:00 /sbin/getty 38400 tty4 linux
root 514 263 0 18:16 pts/0 00:00:00 ps -ef
write simply on guset
root at debian-dev:~# echo toto > /dev/tty1
it's ok.
understand this problem. kernel or cgroup is bugged ???!!!!!
* Anglais - détecté
* Anglais
* Français
* Anglais
* Français
<javascript:void(0);>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20121106/ce0ad3dd/attachment.html>
More information about the lxc-users
mailing list