[lxc-users] unprivilaged lxc-execute: "Failed to shift tty into container"

[Mart Kelder]

Hi all,

I did manage to fix the problem below. Apparently, shifting tty's into 
the container fails if the process is running a ptrace for strace. In 
that case, newuidmap returns access denied (when called from 
lxc_execute). Not running lxc-execute in strace fixed the problem.

Thanks,

Mart


On 24-12-17 18:17, Mart Kelder wrote:
 > Hi all,
 >
 > On 18-12-17 19:27, Mart Kelder wrote:
 >> Hi all,
 >>
 >> I try to lxc-execute a container I created myself. I attached the log
 >> messages and the strace file. If I run the command with strace and try
 >> to replay it, it seems to work correctly [1]. What is the next step to
 >> investigate this? Where is my test-session ([1]) different then the
 >> strace file? I use lxc-2.1.1 and lxcfs-2.0.8 (with pam_cgfs).
 >
 > I tried to debug this further. I wrote a simple C-program (attached) 
which:
 > 1. creates a new pts by opening /dev/ptmx (not done if called with a
 > device or pts-number)
 > 2. chown the new pts (or the pts given as argument) with the same method
 > as lxc-execute.
 >
 > I also altered lxc-execute such that:
 > a. sleeps for 60 seconds
 > b. calls the c-program above instead of lxc_ttys_shift_ids.
 >
 > I can observe that:
 > * The C-program is able to chown the pts if:
 >     - it created the pts itself
 >     - it is runned from a different shell (e.g. not from lxc-execute)
 > while lxc-execute is in the 60 seconds sleep.
 > * The C-program isn't able to chown the pts if:
 >     - it is runned from lxc-execute
 >
 > If it fails the error code is -EPERM when writing /proc/$$/uid_map by
 > newuidmap. During the 60 second timeout, I can inspect the /proc process
 > tree. I don't see important differences in there which can explain the
 > permission denied, but I don't know exactly where I am looking for.
 >
 > Does anyone have any idea what causes this or how I can investigate the
 > reason for failing further?
 >
 > Thanks,
 >
 > Mart