[lxc-users] Debian9.9 - running docker in lxc - loginuid proc permission issue

Jonathan Molyneux jonathan at infinitedepth.com.au
Mon May 13 10:01:14 UTC 2019 

Hi Everyone,

Having an issue when running docker containers under a lxc container not 
being able to /proc/self/loginuid blocking ssh logins due to 
pam_loginuid.so.

My setup / environment is:

OS Version/build:
 > debian 9.9 (up to date) running kernel 4.9.168-1 with aufs-dkms.
 > lxc 2.0.7-2+deb9u2

App version:
Docker version 18.09.6, build 481bc77

Docker run from inside an lxc container running with the config:
 > lxc.include = /usr/share/lxc/config/debian.common.conf
 > lxc.include = /usr/share/lxc/config/nesting.conf

Steps to reproduce:
pam_loginuid.so (write to loginuid) works when testing from:
 > the host
 > inside docker run directly on the host
 > inside a lxc container

But won't allow writes when run from docker inside the lxc container.
For example when cron triggers a job for the user www-data (uid 33)
You end up seeing the following:
 > [pid  1693] openat(AT_FDCWD, "/proc/self/loginuid", 
O_RDWR|O_NOFOLLOW) = 6
 > [pid  1693] read(6, "0", 24)            = 1
 > [pid  1693] read(6, "", 23)             = 0
 > [pid  1693] lseek(6, 0, SEEK_SET)       = 0
 > [pid  1693] ftruncate(6, 0)             = 0
 > [pid  1693] write(6, "33", 2)           = -1 EPERM (Operation not 
permitted)

Where as you should be seeing:
 > [pid 30378] openat(AT_FDCWD, "/proc/self/loginuid", 
O_RDWR|O_NOFOLLOW) = 6
 > [pid 30378] read(6, "4294967295", 24)   = 10
 > [pid 30378] read(6, "", 14)             = 0
 > [pid 30378] lseek(6, 0, SEEK_SET)       = 0
 > [pid 30378] ftruncate(6, 0)             = 0
 > [pid 30378] write(6, "33", 2)           = 2

Have been able to reproduce the issue using both debian:9.9 and 
ubuntu:18.04 images.

Have tried many tweaks to lxc and apparmor to no avail (mostly stripping 
away at the restrictions, have also run aa_profile 
unconfined/lxc-container-default-with-mounting), mostly as I can't seem 
to reproduce the issue in a lxc container and no changes have had any 
effect on the docker containers either.

Any thoughts on ideas on where to go next ?

PS

This may not be an LXC issue, but I'm out of ideas on how to proceed.

More information about the lxc-users mailing list