[lxc-users] proc not available inside unprivileged container

Dr. Todor Dimitrov dimitrov at technology.de
Fri Jun 7 20:10:45 UTC 2019


Hello Serge,

> ...  This doesn't show me anything.  Can you show the result of:
> 
> mountpoint /proc
> ls -l /proc

proc was really not mounted :-)

We found the "problem" in the C library, which caches the value returned by getpid. So what happens is the working, mounted proc gets unmounted, then remounted and again unmounted once the container has started. Have a look at this code:

In utils.c:

int lxc_mount_proc_if_needed(const char *rootfs)
{
...
	mypid = getpid();
	INFO("I am %d, /proc/self points to \"%s\"", mypid, link);
  
	if (lxc_safe_int(link, &link_to_pid) < 0)
		return -1;

	/* correct procfs is already mounted */
	if (link_to_pid == mypid) <-- 'I am 13379, /proc/self points to "1"'
		return 0;

	ret = umount2(path, MNT_DETACH); <-- UNMOUNT
	if (ret < 0)
		WARN("failed to umount \"%s\" with MNT_DETACH", path);

domount:
	/* rootfs is NULL */
	if (!strcmp(rootfs, ""))
		ret = mount("proc", path, "proc", 0, NULL);
	else
		ret = safe_mount("proc", path, "proc", 0, NULL, rootfs); <-- MOUNT
	if (ret < 0)
		return -1;

	INFO("mounted /proc in container for security transition");
	return 1;
}

In conf.c:

int lxc_create_tmp_proc_mount(struct lxc_conf *conf)
{
	int mounted;

	mounted = lxc_mount_proc_if_needed(conf->rootfs.path ? conf->rootfs.mount : "");
	if (mounted == -1) {
		SYSERROR("failed to mount /proc in the container");
		/* continue only if there is no rootfs */
		if (conf->rootfs.path)
			return -1;
	} else if (mounted == 1) {
		conf->tmp_umount_proc = 1; <-- MARK FOR UNMOUNTING
	}

	return 0;
}

I wouldn’t consider this a bug, the C library is just very old (uClibc-0.9.33.2).

Thanks for the support,
Todor

> On 7. Jun 2019, at 18:37, Serge E. Hallyn <serge at hallyn.com> wrote:
> 
> On Thu, Jun 06, 2019 at 07:55:04PM +0200, Dr. Todor Dimitrov wrote:
>> Hello,
>> 
>> we have an unprivileged container on LXC 2.1.1, which starts without any errors. The /proc system is however not available/mounted:
>> 
>> ...
>> drwxr-xr-x    2 root     root          1024 Jul 19  2018 proc
> 
> ...  This doesn't show me anything.  Can you show the result of:
> 
> mountpoint /proc
> ls -l /proc
> 
> ?
> 
>> ...
>> dr-xr-xr-x   12 nobody   nogroup          0 Jun  6 17:13 sys
>> ...
>> 
>> /sys on the other hand is present. The network seems to work, we can login with lxc-console, only commands which rely on /proc are non-functional, e.g. mount, ps, etc. The configuration file contains the following line:
>> 
>> lxc.mount.auto = cgroup:rw proc:rw sys:rw
>> 
>> The same configuration runs without any problems on a similar system using the same kernel version (3.12.59). Suspicious in the logs are the following entries:
>> 
>>      lxc-start qivicon 20190606172753.696 DEBUG    console - console.c:lxc_console_peer_default:450 - process does not have a controlling terminal
>>      lxc-start qivicon 20190606172753.848 INFO     lxc_utils - utils.c:lxc_mount_proc_if_needed:1758 - I am 13379, /proc/self points to "1"
>>      lxc-start qivicon 20190606172753.848 INFO     lxc_utils - utils.c:lxc_mount_proc_if_needed:1780 - mounted /proc in container for security transition
>> 
>> On the "working" system, we see:
>> 
>>      lxc-start qivicon 20190606182855.698 DEBUG    console - console.c:lxc_console_peer_default:450 - process does not have a controlling terminal
>>      lxc-start qivicon 20190606182855.731 INFO     lxc_utils - utils.c:lxc_mount_proc_if_needed:1758 - I am 1, /proc/self points to "1"
>> 
>> 
>> Do you have any ideas what the cause of the problem might be?
> 
> Please post the full logs resulting from lxc-start -l debug -o output_file
> 
> -serge
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3868 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190607/bf3db4dc/attachment.bin>


More information about the lxc-users mailing list