[lxc-users] Running unprotected system container

Koehler, Yannick yannick.koehler at hpe.com
Mon Jun 15 14:23:30 UTC 2020


​I am still faced with the situation where if I run sh inside my container then any command I try to execute such as /bin/ls returns permission denied.

Any clue as to what I need to adjust to enable me to get inside my container as to inspect and try stuff out?

--
Yannick Koehler

________________________________
From: lxc-users <lxc-users-bounces at lists.linuxcontainers.org> on behalf of Saint Michael <venefax at gmail.com>
Sent: June 15, 2020 8:58 AM
To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
Subject: Re: [lxc-users] Running unprotected system container

I have the same issue with plain LXC. Can somebody please post  a container config that would have the same rights as the host?
I actually move around my app in a container, the host is immaterial. It used to work fine until I upgraded Ubuntu to 20.04, since then I get permission denied on a fifo located in /tmp.
I need to load kernel modules, etc. It has to be on equal footing with the host
..


On Mon, Jun 15, 2020 at 8:41 AM Koehler, Yannick <yannick.koehler at hpe.com<mailto:yannick.koehler at hpe.com>> wrote:
First, thanks for the detailed and fast response, very appreciated.

As indicated, the code that will run inside that container is our previous OS and if it does bad things, well, that means it was doing so previously so not a "bigger" issue than it was before.  Since if that works, we will move more towards snap we will then have a better security system (AppArmor, SecComp, better app separation, etc) in place to remove trust for each app and get rid eventually of that container which purpose as indicated is to ease the transition and get some of the features we want from Ubuntu Core in an early release, if we do get this to work.

--
Yannick Koehler
________________________________
From: lxc-users <lxc-users-bounces at lists.linuxcontainers.org<mailto:lxc-users-bounces at lists.linuxcontainers.org>> on behalf of Fajar A. Nugraha <list at fajar.net<mailto:list at fajar.net>>
Sent: June 13, 2020 12:53 AM
To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org<mailto:lxc-users at lists.linuxcontainers.org>>
Subject: Re: [lxc-users] Running unprotected system container

On Sat, Jun 13, 2020 at 9:41 AM Koehler, Yannick
<yannick.koehler at hpe.com<mailto:yannick.koehler at hpe.com>> wrote:
>
> Hi,
>
> I am in a situation where we desire to run our old OS environment inside Ubuntu Core.  So far we have identified LXD as being a candidate to enable us to run our past Linux OS environment within the new one.
>
> At this time our goal is to apply the least amount of modification to our existing OS in order to test and validate such an approach.
>
> I, therefore, need to run an LXC container with pretty much zero security, as to allow the old OS to loads kernel modules, access /proc, /sys, etc.


> Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I obtained an error as the profile 'none'  was not found by the seccomp profile reader.  I am wondering if this is a problem with lxc itself or with UbuntuCore not providing a definition of what a seccomp "none" profile would be.

Start from https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4<https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4>

Then create something like

/var/snap/lxd/common/lxd/extra/unrestricted.conf
------------------------------------------------
lxc.cap.drop =
lxc.apparmor.profile = unconfined
lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
lxc.cgroup.devices.allow = c *:* rwm
lxc.cgroup.devices.allow = b *:* rwm
lxc.seccomp.profile = /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf


/var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf
--------------------------------------------------------
2
blacklist
# v2 allows comments after the second line, with '#' in first column,
# blacklist will allow syscalls by default


Then put it on your lxd config
config:
  raw.lxc: lxc.include=/var/snap/lxd/common/lxd/extra/unrestricted.conf


Totally unsupported, you're on your own if something bad happens, etc.
I was able to run mknod, "losetup -a", mount, and modprobe from my
container, running lxd from snap under ubuntu 20.04 host (might be
relevant for you since ubuntu core also uses lxd from snap)

--
Fajar
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org<mailto:lxc-users at lists.linuxcontainers.org>
http://lists.linuxcontainers.org/listinfo/lxc-users<http://lists.linuxcontainers.org/listinfo/lxc-users>
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org<mailto:lxc-users at lists.linuxcontainers.org>
http://lists.linuxcontainers.org/listinfo/lxc-users<http://lists.linuxcontainers.org/listinfo/lxc-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20200615/b287e43e/attachment-0001.htm>


More information about the lxc-users mailing list