[lxc-users] lxc rootfs permission 700 vs 755

[Serge E. Hallyn]

Quoting T.C 吳天健 (tcwu2005 at gmail.com):
> I found some service in container's OS failed to start.  The error message
> is "execve permission denied".
> Finally I chmod 755 to all directories from '/' to rootfs and problem
> solved.  For example, my container's rootfs is at /data/maru/con1, then
> chmod 755 /data/maru; chmod 755 /data/maru/con1;chmod 755
> /data/maru/con1/rootfs.
> But why?  Since I am using root container, I expect that lxc and
> /data/maru/con1/init have root privilege to do thing but apparently not...

Hi,

it's been awhile since I've given this any thought.  I assume that
your root-owned container is unprivileged, and that lxc is trying to
open the rootfs dir after unsharing the user namespace.

/data/maru/con1/rootfs itself will have to be owned by the container
root user, but we should be able to open an fd to that dir in the
parent user namespace, and always opendir() from there.  Hm, that
won't suffice for pivot_root.  So root would instead have to create
a temporary mount namespace and mount the new root to /lxcroot.  Then
the container root could work from /lxcroot.

I'm cc:ing lxc-devel in case someone feels inspired to do this, or
at least open a github issue for it.  I think it might be worth
doing, at least optionally, as it it lets us keep a tighter lid on
fs permissions.