[lxc-users] DBUS connection from inside container using system dbus
Stewart Brodie
sbrodie at espial.com
Fri Mar 10 15:14:39 UTC 2017
Adithya K <linux.challenge1 at gmail.com> wrote:
> > > I am usig busybox template to create container on ubuntu. I am
> > > creating container as non privilage. Attached is the config created.
> > > I am mapping var/run/duns/socket from host to container. Basically I
> > > am using host dbus.
> > > What I see is when I try to run and dbus program,
> > > dbus_bus_get(DBUS_BUS_SYSTEM, &err); call fails. Basically I am not
> > > able to get dbus bus connection.
> > > When I create container using privilage mode, then this issue doesn't
> > > exist.
> > > Any solution for this issue.
This will not work (as you have discovered!) This is why ...
The dbus-daemon examines the credentials on the UNIX domain socket, in order
to find out the peer's PID and UID. If the peer is in a different PID
and/or UID namespace, the kernel will have remapped the credentials into the
dbus-daemon's namespace. The client, however, will still try to
authenticate by passing its UID in the SASL setup for the connection by
sending "AUTH EXTERNAL <UID>", where <UID> is a hex version of the
stringification of the effective UID of the client in *its* namespace. e.g.
the UID 789 would be encoded as 373839! Thus when the dbus-daemon receives
this UID and compares it to the credentials it found on the socket, it finds
the UIDs don't match and thus it refuses to permit the connection.
For my project, I can afford to disable the SASL part of the connection
protocol in the client - it would be possible to fix this in the daemon, but
for various reasons I can't do that in my project. The obvious problem of
patching the client rather than the server is that you end up having to
patch all the different client DBus libraries.
I attach an example patch for dbox-1.10.6 that *disables* the sending of the
client UID in the setup message. If that's acceptable for your situation,
you're welcome to use it. There's a second patch for GDBus too.
--
Stewart Brodie
Senior Software Engineer
Espial UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dbus-external-auth-rely-on-scm-creds.patch
Type: application/octet-stream
Size: 2176 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170310/c9329d9d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdbus-auth.patch
Type: application/octet-stream
Size: 4700 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170310/c9329d9d/attachment-0001.obj>
More information about the lxc-users
mailing list