[lxc-users] Hardware log entries spread on containers
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jan 5 17:13:06 UTC 2015
Quoting SĂ©bastien NOBILI (sebnewsletter at free.fr):
> Hi,
>
> I'm not registered to the mailing list, so please keep me in CC.
>
> I've installed LXC on my Debian (stable, Wheezy) server (named "serveur").
>
> I've got some containers (named "smtp", "xmpp" and "web") on this server.
>
> Each container's rsyslog is configured to send logs to main server.
>
> When I plug an USB HDD on the main server, I get the following trace:
>
> Dec 11 18:36:56 serveur kernel: [135361.732032] usb 1-8: new high-speed USB device number 3 using ehci_hcd
> Dec 11 18:36:56 xmpp kernel: [135361.865004] usb 1-8: New USB device found, idVendor=152d, idProduct=2338
> Dec 11 18:36:56 xmpp kernel: [135361.865012] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=5
> Dec 11 18:36:56 xmpp kernel: [135361.865020] usb 1-8: Manufacturer: JMicron
> Dec 11 18:36:56 xmpp kernel: [135361.865023] usb 1-8: SerialNumber: 7D2500BE6E50
> Dec 11 18:36:56 xmpp kernel: [135361.866020] scsi3 : usb-storage 1-8:1.0
> Dec 11 18:36:57 serveur kernel: [135362.884494] sd 3:0:0:0: [sdc] No Caching mode page found
> Dec 11 18:36:57 smtp kernel: [135362.881252] sd 3:0:0:0: [sdc] No Caching mode page found
> Dec 11 18:36:57 serveur kernel: [135362.937146] sdc: sdc1 sdc2
> Dec 11 18:36:57 serveur kernel: [135362.941606] sd 3:0:0:0: [sdc] No Caching mode page found
> Dec 11 18:36:57 serveur kernel: [135362.941728] sd 3:0:0:0: [sdc] Attached SCSI disk
> Dec 11 18:36:58 xmpp kernel: [135363.124089] usb 1-8: reset high-speed USB device number 3 using ehci_hcd
> Dec 11 19:00:24 smtp kernel: [136769.064234] usb 1-8: USB disconnect, device number 3
>
> Some events get caught by containers…
>
> When the HDD is plugged, containers can't access it (no device node under /dev
> and no way to create it using mknod), which is normal.
>
> Why do containers "see" the device being plugged ?
Because the udev messages are being sent to all namespaces. In the
future we may end up only sending those to the host namespace, with a
userspace daemon on the host forwarding appropriate messages into
containers (policy-driven). That's not there yet.
> Is there any security issue with this behavior (I don't want any container to be
> able to mount this - or any - drive) ?
Depends on your setup, but presumably the containers should be prevented
from creating the device node as well as mounting that drive by the devices
cgroup.
-serge
More information about the lxc-users
mailing list