[lxc-users] Debian9.9 - running docker in lxc - loginuid proc permission issue

Mon May 13 13:53:38 UTC 2019

On Mon, May 13, 2019 at 08:01:14PM +1000, Jonathan Molyneux wrote:
> Hi Everyone,
> 
> Having an issue when running docker containers under a lxc container not
> being able to /proc/self/loginuid blocking ssh logins due to
> pam_loginuid.so.
> 
> My setup / environment is:
> 
> OS Version/build:
> > debian 9.9 (up to date) running kernel 4.9.168-1 with aufs-dkms.
> > lxc 2.0.7-2+deb9u2
> 
> App version:
> Docker version 18.09.6, build 481bc77
> 
> Docker run from inside an lxc container running with the config:
> > lxc.include = /usr/share/lxc/config/debian.common.conf
> > lxc.include = /usr/share/lxc/config/nesting.conf
> 
> Steps to reproduce:
> pam_loginuid.so (write to loginuid) works when testing from:
> > the host
> > inside docker run directly on the host
> > inside a lxc container

When you say "works when testing from lxc container", what exactly do you
mean there?

Please see

https://github.com/lxc/lxc/issues/661
and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726661

So I think the question is - what is *in* the docker containers, and does it
have the pam upstream fix required to know when to skip writing to loginuid?

> But won't allow writes when run from docker inside the lxc container.
> For example when cron triggers a job for the user www-data (uid 33)
> You end up seeing the following:
> > [pid  1693] openat(AT_FDCWD, "/proc/self/loginuid", O_RDWR|O_NOFOLLOW) = 6
> > [pid  1693] read(6, "0", 24)            = 1
> > [pid  1693] read(6, "", 23)             = 0
> > [pid  1693] lseek(6, 0, SEEK_SET)       = 0
> > [pid  1693] ftruncate(6, 0)             = 0
> > [pid  1693] write(6, "33", 2)           = -1 EPERM (Operation not
> permitted)
> 
> Where as you should be seeing:
> > [pid 30378] openat(AT_FDCWD, "/proc/self/loginuid", O_RDWR|O_NOFOLLOW) = 6
> > [pid 30378] read(6, "4294967295", 24)   = 10
> > [pid 30378] read(6, "", 14)             = 0
> > [pid 30378] lseek(6, 0, SEEK_SET)       = 0
> > [pid 30378] ftruncate(6, 0)             = 0
> > [pid 30378] write(6, "33", 2)           = 2
> 
> Have been able to reproduce the issue using both debian:9.9 and ubuntu:18.04
> images.
> 
> Have tried many tweaks to lxc and apparmor to no avail (mostly stripping
> away at the restrictions, have also run aa_profile
> unconfined/lxc-container-default-with-mounting), mostly as I can't seem to
> reproduce the issue in a lxc container and no changes have had any effect on
> the docker containers either.
> 
> Any thoughts on ideas on where to go next ?
> 
> PS
> 
> This may not be an LXC issue, but I'm out of ideas on how to proceed.
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users