[lxc-users] Problem with lxc.network.script...

Serge Hallyn serge.hallyn at ubuntu.com
Fri Jan 30 13:13:45 UTC 2015


Quoting PONCET Anthony (ff240 at msn.com):
> Le 29/01/2015 15:21, Serge Hallyn a écrit :
> >Quoting PONCET Anthony (ff240 at msn.com):
> >>Le 29/01/2015 12:30, Serge Hallyn a écrit :
> >>>Quoting PONCET Anthony (ff240 at msn.com):
> >>>>Dear,
> >>>>I'm using LXC on Ubuntu 14.04 (version : 1.0.7), with unprivileged
> >>>>containers.
> >>>>I try to use the lxc.network.script.up and lxc.network.script.down
> >>>>for allow one container in my firewall (iptables/ip6tables).
> >>>>I've allowed a user to execute /sbin/iptables and /sbin/ip6tables
> >>>>with sudo, and if I run my script manually, it run without problem.
> >>>>But when I started my container, my script doesn't run (I added
> >>>>"echo "test" >> test.log" on top of the script and test.log never
> >>>>created, and no rules added to iptables).
> >>>>I used the veth network mode, and I added my user in /etc/lxc/lxc-usernet.
> >>>>I define the lxc.logfile and lxc.loglevel = 1 but not error are logged.
> >>>>Do you have an idea to solve my problem?
> >>>Can you please show the exact commands you used to create and
> >>>start the container, the container config file, the script
> >>>contents, and the script file owner/mode (ls -l output)?
> >>>_______________________________________________
> >>>lxc-users mailing list
> >>>lxc-users at lists.linuxcontainers.org
> >>>http://lists.linuxcontainers.org/listinfo/lxc-users
> >>Yes,
> >>lxc-create -t download -n ct_name -- -d ubuntu -r trusty -a amd64
> >Yeah, sorry, i wasn't thinking right.  The network up and down
> >scripts do not work for unpriileged containers right now.
> >
> >You can create a container started by root but with lxc.id_map
> >sections, so that the container will be unprivileged, but the
> >startup runs as root.
> >
> >I'm undecided as to whether it is worth adding support for
> >script.up/down for unpriv containers.
> >
> >-serge
> >_______________________________________________
> >lxc-users mailing list
> >lxc-users at lists.linuxcontainers.org
> >http://lists.linuxcontainers.org/listinfo/lxc-users
> Yeah, it's would be very cool to add this feature for unpriv container.

No, I'm unconvinced.  Anything which you'd want to do as an unprivileged
user on a network.up/down hook would require privilege on the host.  To
design something like that in a way that at all maintains privilege
guarantees is somewhere between hard and impossible.  (For instance, perhaps
the user is given sudo access only to certain programs specifically written
to be called from the scripts, with apparmor rules to prevent anything
unruly).  There would have to be a good reason to run these as an unpriv
user instead of starting the unprivileged container as root in this case.

> Ei: in this case, the firewall doesn't be to autoconf being given
> the veth name is random.
> And could you update the manual?
> 
> I don't see this.

Indeed it's not there.  Patches appreciated.

-serge


More information about the lxc-users mailing list