[lxc-users] Unprivileged containers do not auto-start
Robert Pendell
shinji at elite-systems.org
Fri May 9 04:30:58 UTC 2014
On Thu, May 8, 2014 at 11:35 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Robert Pendell (shinji at elite-systems.org):
>> On Thu, May 8, 2014 at 12:48 PM, Robert Pendell
>> <shinji at elite-systems.org> wrote:
>> > On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> >> Quoting Robert Pendell (shinji at elite-systems.org):
>> >>> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> >>> > Quoting Robert Pendell (shinji at elite-systems.org):
>> >>> >> OS: Ubuntu 14.04 LTS x86_64
>> >>> >> Kernel: Host-Supplied 3.14.1
>> >>> >> Provider: Linode
>> >>> >> Host Virtualization: Xen Paravirtualized
>> >>> >> LXC Version: 1.0.3-0ubuntu3
>> >>> >>
>> >>> >> On a fresh boot unprivileged containers are not starting automatically
>> >>> >> even though they have lxc.start.auto enabled. lxc-ls as the user
>> >>> >> confirms autostart is enabled as well.
>> >>> >>
>> >>> >> Is this a bug or intended or am I just missing something really
>> >>> >> obvious in my configuration?
>> >>> >
>> >>> > By default only containers in /var/lib/lxc are autostarted. You
>> >>> > could edit /etc/lxc/lxc.conf to change that. If you're ok with
>> >>> > them only starting on login you might also be able to use a user
>> >>> > upstart session job, but I suspect tying the containers so closely
>> >>> > to your login session won't be what you want.
>> >>> >
>> >>>
>> >>> That would be an accurate assumption. At this point if I need to I
>> >>> can login and start the container manually. I checked lxc.conf and
>> >>> I'm not sure how to set it up the way you suggest. This system may
>> >>> end up being home to multiple containers that are mixed between
>> >>> locations.
>> >>>
>> >>> P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
>> >>
>> >> It doesn't list containers under your home dir. However if you create
>> >> a root-owned unprivileged root-owned container, lxc-autostart will list
>> >> it:
>> >>
>> >> cat > lxc.conf << EOF
>> >> lxc.network.type = veth
>> >> lxc.network.link = lxcbr0
>> >> lxc.id_map = u 0 100000 100000
>> >> lxc.id_map = g 0 100000 100000
>> >> lxc.aa_profile = lxc-container-default-with-nesting
>> >> lxc.start.auto = 1
>> >> lxc.mount.auto = cgroup
>> >> EOF
>> >> sudo lxc-create -t download -n listme1 -f lxc.conf
>> >>
>> >> After this,
>> >> sudo lxc-autostart -L
>> >> should show
>> >> listme1 0
>> >>
>> >
>> >
>> > Ok. So I got a chance to give this a shot but unfortunately I'm being
>> > denied the ability to actually change uid. Should I need to add root
>> > to /etc/subuid and /etc/subgid in order to accomplish this? I left
>> > the AA profile define out because it won't apply in my case since
>> > apparmor is disabled at kernel level.
>> >
>> > Error:
>> > newuidmap: uid range [0-65536) -> [100000-165536) not allowed
>> > error mapping child
>> > setgid: Invalid argument
>> > lxc_container: container creation template for gateone failed
>> > lxc_container: Error creating container gateone
>> >
>> > I tried to add it manually after the fact and it refuses to boot
>> > giving the same error as what I got before. Finally I went back and
>> > add root to subuid and subgid and it seemed to work fine at that point
>> > however it still won't start. Here is the result of an info check.
>> > Just so you know I gave root 65536 ids starting at 800000 for the
>> > unprivileged containers. For some reason though it fails at a
>> > permission denied error for /var/lib/lxc. It is obviously just a
>> > permission error but I don't know if it would be safe to add x for
>> > others.
>> >
>>
>> Right after posting I thought I give it a shot so I added 'x' to the
>> others so that it shows as rwx for root and just x for others and that
>
> fwiw the reason you had to do that is that /var/lib/lxc could have
> vulnerable setuid-root binaries from a non-updated container, so
> /var/lib/lxc is now not accessible by default by non-root users. It
> may be worth adding a lxc group and making /var/lib/lxc g+w. Then the
> upstart jobs could run as user jdoe and group lxc and still access
> the container rootfs as they should.
>
I just realized one other side effect of this. With o+x being present
I can traverse the entire tree down as non-root if I know the running
folder of the lxc container. Without it I can't get into any folder
at all.
Any idea on how one might accomplish what you suggest?
More information about the lxc-users
mailing list