[lxc-users] Unprivileged containers do not auto-start
Serge Hallyn
serge.hallyn at ubuntu.com
Fri May 9 13:16:28 UTC 2014
Quoting Robert Pendell (shinji at elite-systems.org):
> On Thu, May 8, 2014 at 11:35 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting Robert Pendell (shinji at elite-systems.org):
> >> On Thu, May 8, 2014 at 12:48 PM, Robert Pendell
> >> <shinji at elite-systems.org> wrote:
> >> > On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> >> Quoting Robert Pendell (shinji at elite-systems.org):
> >> >>> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> >>> > Quoting Robert Pendell (shinji at elite-systems.org):
> >> >>> >> OS: Ubuntu 14.04 LTS x86_64
> >> >>> >> Kernel: Host-Supplied 3.14.1
> >> >>> >> Provider: Linode
> >> >>> >> Host Virtualization: Xen Paravirtualized
> >> >>> >> LXC Version: 1.0.3-0ubuntu3
> >> >>> >>
> >> >>> >> On a fresh boot unprivileged containers are not starting automatically
> >> >>> >> even though they have lxc.start.auto enabled. lxc-ls as the user
> >> >>> >> confirms autostart is enabled as well.
> >> >>> >>
> >> >>> >> Is this a bug or intended or am I just missing something really
> >> >>> >> obvious in my configuration?
> >> >>> >
> >> >>> > By default only containers in /var/lib/lxc are autostarted. You
> >> >>> > could edit /etc/lxc/lxc.conf to change that. If you're ok with
> >> >>> > them only starting on login you might also be able to use a user
> >> >>> > upstart session job, but I suspect tying the containers so closely
> >> >>> > to your login session won't be what you want.
> >> >>> >
> >> >>>
> >> >>> That would be an accurate assumption. At this point if I need to I
> >> >>> can login and start the container manually. I checked lxc.conf and
> >> >>> I'm not sure how to set it up the way you suggest. This system may
> >> >>> end up being home to multiple containers that are mixed between
> >> >>> locations.
> >> >>>
> >> >>> P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
> >> >>
> >> >> It doesn't list containers under your home dir. However if you create
> >> >> a root-owned unprivileged root-owned container, lxc-autostart will list
> >> >> it:
> >> >>
> >> >> cat > lxc.conf << EOF
> >> >> lxc.network.type = veth
> >> >> lxc.network.link = lxcbr0
> >> >> lxc.id_map = u 0 100000 100000
> >> >> lxc.id_map = g 0 100000 100000
> >> >> lxc.aa_profile = lxc-container-default-with-nesting
> >> >> lxc.start.auto = 1
> >> >> lxc.mount.auto = cgroup
> >> >> EOF
> >> >> sudo lxc-create -t download -n listme1 -f lxc.conf
> >> >>
> >> >> After this,
> >> >> sudo lxc-autostart -L
> >> >> should show
> >> >> listme1 0
> >> >>
> >> >
> >> >
> >> > Ok. So I got a chance to give this a shot but unfortunately I'm being
> >> > denied the ability to actually change uid. Should I need to add root
> >> > to /etc/subuid and /etc/subgid in order to accomplish this? I left
> >> > the AA profile define out because it won't apply in my case since
> >> > apparmor is disabled at kernel level.
> >> >
> >> > Error:
> >> > newuidmap: uid range [0-65536) -> [100000-165536) not allowed
> >> > error mapping child
> >> > setgid: Invalid argument
> >> > lxc_container: container creation template for gateone failed
> >> > lxc_container: Error creating container gateone
> >> >
> >> > I tried to add it manually after the fact and it refuses to boot
> >> > giving the same error as what I got before. Finally I went back and
> >> > add root to subuid and subgid and it seemed to work fine at that point
> >> > however it still won't start. Here is the result of an info check.
> >> > Just so you know I gave root 65536 ids starting at 800000 for the
> >> > unprivileged containers. For some reason though it fails at a
> >> > permission denied error for /var/lib/lxc. It is obviously just a
> >> > permission error but I don't know if it would be safe to add x for
> >> > others.
> >> >
> >>
> >> Right after posting I thought I give it a shot so I added 'x' to the
> >> others so that it shows as rwx for root and just x for others and that
> >
> > fwiw the reason you had to do that is that /var/lib/lxc could have
> > vulnerable setuid-root binaries from a non-updated container, so
> > /var/lib/lxc is now not accessible by default by non-root users. It
> > may be worth adding a lxc group and making /var/lib/lxc g+w. Then the
> > upstart jobs could run as user jdoe and group lxc and still access
> > the container rootfs as they should.
> >
>
> I just realized one other side effect of this. With o+x being present
> I can traverse the entire tree down as non-root if I know the running
> folder of the lxc container. Without it I can't get into any folder
> at all.
>
> Any idea on how one might accomplish what you suggest?
Currently the permissions are set in debian/rules in the
override_dh_builddeb rule.
I suspect we'd have to add the lxc group in preinst, then chgrp
/var/lib/lxc in postinst (only on new installations).
More information about the lxc-users
mailing list