[lxc-users] cgroup settings not honored

Patrick Brauer mercora at lileth.net
Sun Oct 19 02:48:20 UTC 2014


Hello lxc-users,

i am using lxc tools for quite a while now and although not perfect
they are a good fit to my requirements. Yesterday i noticed something
strange, starting an archlinux container would end up setting my keymaps
outside of it. A short search revealed it is [1] known and the fix
mentioned there isn't any fix at all in my opinion...

I found out the issue is with systemd but wondered how it was even able
to do this in the first place... After all im trying to have somewhat
isolated systems here it should not be able to do this change at all...
Looking at the configuration created by the archlinux template, i noticed
even more questionable things... It set up cgroup rules to allow rwm to
tty, tty1, console, ptmx and pts/[0-9]+ character devices
and i thought i found the reason for it beeing able to change my keymap,
removed these rules from the config and started the container fine...

However, it did change my keymap again, apart from that it activated
the "alarm bell" on my mainboard which i actually deactivate using
"rmmod pcspkr" every time boot up this system (sys_module is dropped).
Looking further, i saw it mounts proc and sys file systems rw inside
the container, changing it to ro for sysfs brought no further success
in attempts to change my locale outside the container...

But this alone is not what brought me here. Before i was puzzled by
the behavior described above i was about to try running a second
X server inside the container giving it its own tty so i could switch
to it like i would "locally". I figured out dear Mr Lennart Poettering
would again make things harder for me and i needed the console
session to be a real tty instead of the pty that lxc.autodev=1 would
set up for me. maybe this isn't even the case, however.

I tried to remove the autodev line and thought that should be fine
because there is no way the container would have access to devices
which i did not grant it, but it brought me to the reason i write this up.
I (and systemd) could create any device node i would like to and not only
that, inside the container i would have full rw permissions to them.
This is the case with or without autodev turned on but really much more
visible without it being active as it caused some "funny" things then...

TL;DR

The Archlinux container pids aren't added to the tasks list of the
created cgroups, although the rules are there the tasks are not thus
no rule is ever applied to this container... I might do something wrong...
but i think even if this is the case, i did not do much whatsoever and
whatever it is what i missed doing here should be more visible then...

I also tried using cgmanager but it made things worse. There is no systemd
unit file for it on archlinux so i started it on a terminal with verbose output.
lxc-start recognized it but stops working with these messages:

lxc-start: cgroup error?  100 cgroups with this name already running
lxc-start: failed creating cgroups
lxc-start: failed to spawn 'testo'
lxc-start: The container failed to start.

And indeed it created 100 directories into the moved cgroup filesystem
without any cleanup afterwards... Also after i interrupted cgmanager it
left everything at /var/run/cgmanager/ which might confuse software...

So hopefully i did a remarkable mistake somewhere in the middle that
caused all this, otherwise this seems to be a quite critical security issue here
and should be fixed soon for all the people that rely on cgroups...



[1] https://wiki.archlinux.org/index.php/Linux_Containers#Starting_container_changes_keymap_of_host_computer


More information about the lxc-users mailing list