[lxc-users] unprivilaged lxc-execute: "Failed to shift tty into container"
Mart Kelder
mart at kelder31.nl
Sun Dec 24 17:17:46 UTC 2017
Hi all,
On 18-12-17 19:27, Mart Kelder wrote:
> Hi all,
>
> I try to lxc-execute a container I created myself. I attached the log
> messages and the strace file. If I run the command with strace and try
> to replay it, it seems to work correctly [1]. What is the next step to
> investigate this? Where is my test-session ([1]) different then the
> strace file? I use lxc-2.1.1 and lxcfs-2.0.8 (with pam_cgfs).
I tried to debug this further. I wrote a simple C-program (attached) which:
1. creates a new pts by opening /dev/ptmx (not done if called with a
device or pts-number)
2. chown the new pts (or the pts given as argument) with the same method
as lxc-execute.
I also altered lxc-execute such that:
a. sleeps for 60 seconds
b. calls the c-program above instead of lxc_ttys_shift_ids.
I can observe that:
* The C-program is able to chown the pts if:
- it created the pts itself
- it is runned from a different shell (e.g. not from lxc-execute)
while lxc-execute is in the 60 seconds sleep.
* The C-program isn't able to chown the pts if:
- it is runned from lxc-execute
If it fails the error code is -EPERM when writing /proc/$$/uid_map by
newuidmap. During the 60 second timeout, I can inspect the /proc process
tree. I don't see important differences in there which can explain the
permission denied, but I don't know exactly where I am looking for.
Does anyone have any idea what causes this or how I can investigate the
reason for failing further?
Thanks,
Mart
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lxc_test.c
Type: text/x-csrc
Size: 1427 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20171224/7756373f/attachment.c>
More information about the lxc-users
mailing list