[lxc-users] permissions question: netstat -anp does not show process for non owned processes
umberto.nicoletti at gmail.com
Tue May 3 19:26:29 UTC 2016
btw I just checked and this behaviour breaks some haproxyctl functions (at
least those relying on /proc)
On Tue, May 3, 2016 at 9:05 PM, Umberto Nicoletti <
umberto.nicoletti at gmail.com> wrote:
> On Tue, May 3, 2016 at 6:49 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
>> Quoting Umberto Nicoletti (umberto.nicoletti at gmail.com):
>> > Hi all,
>> > I am dipping my toes into LXC and I'm liking what I see so far.
>> > I have one question about privileges/security inside containers: I have
>> > started a container and then accessed it with:
>> > lxc exec c1 /bin/bash
>> > If I run netstat -anp it will refuse to show me process information for
>> > processes that I do not own (even though I appear to be root).
>> > For instance an haproxy instance listening on port 3000 appears as the
>> > following (haproxy is running as user haproxy):
>> > root at c1:~# netstat -anp | grep 3000
>> > (Not all processes could be identified, non-owned process info
>> > will not be shown, you would have to be root to see it all.)
>> > tcp 0 0 127.0.0.1:3000 0.0.0.0:*
>> > -
>> > I am running the latest lxc/lxd on Ubuntu 16.04.
>> > From what I have read I understand there is some uid mapping going on
>> but I
>> > was hoping someone could explain it to me or point me in the right
>> > direction.
>> If I understand your email right, you'll be interested in
>> man 7 user_namespaces
>> (also available at
>> Indeed your container root is privileged with respect to the container's
>> resources, but is not root on the host. /proc/self/uid_map will show
>> how container uids are mapped. For instances if you have
>> root at trusty-gui:/# cat /proc/self/uid_map
>> 0 100000 65536
>> then root (uid 0) in the container is uid 100000 on the host. It
>> is privileged with respect to uids mapped into the container, which
>> are host uids 100000-165535. The container root is not privileged
>> against any task not owned by one of those host uids.
> Thanks for taking the time to answer.
> This makes sense, still I don't understand why netstat won't show the pid
> and program for sockets owned by container processes like haproxy in my
> previous example.
> haproxy has uid 106 in the container which is mapped to uid 100106 on the
> host so it should be among those manageable by uid 0 (in the container).
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the lxc-users