[lxc-users] permissions question: netstat -anp does not show process for non owned processes

Serge Hallyn serge.hallyn at ubuntu.com
Tue May 3 16:49:01 UTC 2016


Quoting Umberto Nicoletti (umberto.nicoletti at gmail.com):
> Hi all,
> I am dipping my toes into LXC and I'm liking what I see so far.
> 
> I have one question about privileges/security inside containers: I have
> started a container and then accessed it with:
> 
> lxc exec c1 /bin/bash
> 
> If I run netstat -anp it will refuse to show me process information for
> processes that I do not own (even though I appear to be root).
> 
> For instance an haproxy instance listening on port 3000 appears as the
> following (haproxy is running as user haproxy):
> 
> root at c1:~# netstat -anp | grep 3000
> (Not all processes could be identified, non-owned process info
>  will not be shown, you would have to be root to see it all.)
> tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN
>      -
> 
> I am running the latest lxc/lxd on Ubuntu 16.04.
> 
> From what I have read I understand there is some uid mapping going on but I
> was hoping someone could explain it to me or point me in the right
> direction.

If I understand your email right, you'll be interested in

man 7 user_namespaces

(also available at http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html )

Indeed your container root is privileged with respect to the container's
resources, but is not root on the host.  /proc/self/uid_map will show
how container uids are mapped.  For instances if you have

root at trusty-gui:/# cat /proc/self/uid_map
         0     100000       65536

then root (uid 0) in the container is uid 100000 on the host.  It
is privileged  with respect to uids mapped into the container, which
are host uids 100000-165535.  The container root is not privileged
against any task not owned by one of those host uids.

-serge


More information about the lxc-users mailing list