[Lxc-users] Permissions on devpts in container
John
lxc at jelmail.com
Wed Sep 25 08:25:23 UTC 2013
On 23/09/13 17:07, Serge Hallyn wrote:
> Quoting John (lxc at jelmail.com):
>> Hello list,
>>
>> I have noticed a difference in behaviour on a new host that I have just
>> installed which uses LXC 0.9.0. The differences are noted when compared
>> with another host that has LXC 0.9.0-alpha3 on it.
>>
>> Inside a container under LXC 0.9.0, the devpts mounts are like this:
>> devpts on /dev/console type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
>> devpts on /dev/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
>> devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666)
>>
>> Previously, under LXC 0.9.0-alpha3, they were like this:
>> devpts on /dev/console type devpts (rw,relatime,mode=600,ptmxmode=000)
>> devpts on /dev/tty1 type devpts (rw,relatime,mode=600,ptmxmode=000)
>> devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666)
>>
>> The upshot of this is that regular users can't create pty unless they
>> are in the "tty" group (gid 5).
>> This means the simple task of opening a terminal window will fail for
>> such users.
>>
>> Is this because of a change made some time between 0.9.0-alpha3 and
>> 0.9.0 ? I have trawled the git commit messages but couldn't see
>> anything. Google did throw the following for me:
>> https://bugzilla.redhat.com/show_bug.cgi?id=554203
>> http://www.redhat.com/archives/libvir-list/2011-February/msg00975.html
>> Those mention the permission change I've experienced but discuss LXC
>> with LibVirt. I am not using LibVirt.
>>
>> My LXC config is the same in both examples, and I am not doing anything
>> differently between the two. They are both running ArchLinux and have
>> kernel versions as follows
>> System 1: LXC 0.9.0-alpha3 Linux 3.7.10-1-ARCH
>> System 2: LXC 0.9.0 Linux 3.11.1-1-ARCH
>>
>> Is the rule now that users have to be in group 'tty' in a container or
>> am I missing something else?
> I suspect the difference is actually in arch's init. But I'm
> not sure. The only gid= option I see is specified in the alpine
> template.
>
> How exactly are you creating, starting, and accessing the containers?
>
Having further investigated this I agree it's a problem that lies
outside LXC. I know this because I have reproduced the same problem on a
test rig host (outside any containers). Thanks for replying to my
question Serge.
More information about the lxc-users
mailing list