[lxc-users] [serge.hallyn at ubuntu.com: Re: Hardware log entries spread on containers]

Mon Jan 5 17:16:57 UTC 2015

(ffs. resending with cc.)

----- Forwarded message from Serge Hallyn <serge.hallyn at ubuntu.com> -----

Date: Mon, 5 Jan 2015 17:13:06 +0000
From: Serge Hallyn <serge.hallyn at ubuntu.com>
To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
Subject: Re: [lxc-users] Hardware log entries spread on containers
Reply-To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>

Quoting Sébastien NOBILI (sebnewsletter at free.fr):
> Hi,
> 
> I'm not registered to the mailing list, so please keep me in CC.
> 
> I've installed LXC on my Debian (stable, Wheezy) server (named "serveur").
> 
> I've got some containers (named "smtp", "xmpp" and "web") on this server.
> 
> Each container's rsyslog is configured to send logs to main server.
> 
> When I plug an USB HDD on the main server, I get the following trace:
> 
>     Dec 11 18:36:56 serveur kernel: [135361.732032] usb 1-8: new high-speed USB device number 3 using ehci_hcd
>     Dec 11 18:36:56 xmpp kernel: [135361.865004] usb 1-8: New USB device found, idVendor=152d, idProduct=2338
>     Dec 11 18:36:56 xmpp kernel: [135361.865012] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=5
>     Dec 11 18:36:56 xmpp kernel: [135361.865020] usb 1-8: Manufacturer: JMicron
>     Dec 11 18:36:56 xmpp kernel: [135361.865023] usb 1-8: SerialNumber: 7D2500BE6E50
>     Dec 11 18:36:56 xmpp kernel: [135361.866020] scsi3 : usb-storage 1-8:1.0
>     Dec 11 18:36:57 serveur kernel: [135362.884494] sd 3:0:0:0: [sdc] No Caching mode page found
>     Dec 11 18:36:57 smtp kernel: [135362.881252] sd 3:0:0:0: [sdc] No Caching mode page found
>     Dec 11 18:36:57 serveur kernel: [135362.937146]  sdc: sdc1 sdc2
>     Dec 11 18:36:57 serveur kernel: [135362.941606] sd 3:0:0:0: [sdc] No Caching mode page found
>     Dec 11 18:36:57 serveur kernel: [135362.941728] sd 3:0:0:0: [sdc] Attached SCSI disk
>     Dec 11 18:36:58 xmpp kernel: [135363.124089] usb 1-8: reset high-speed USB device number 3 using ehci_hcd
>     Dec 11 19:00:24 smtp kernel: [136769.064234] usb 1-8: USB disconnect, device number 3
> 
> Some events get caught by containers…
> 
> When the HDD is plugged, containers can't access it (no device node under /dev
> and no way to create it using mknod), which is normal.
> 
> Why do containers "see" the device being plugged ?

Because the udev messages are being sent to all namespaces.  In the
future we may end up only sending those to the host namespace, with a
userspace daemon on the host forwarding appropriate messages into
containers (policy-driven).  That's not there yet.

> Is there any security issue with this behavior (I don't want any container to be
> able to mount this - or any - drive) ?

Depends on your setup, but presumably the containers should be prevented
from creating the device node as well as mounting that drive by the devices
cgroup.

-serge
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

----- End forwarded message -----