[lxc-users] Running unprotected system container

[Fajar A. Nugraha]

On Sat, Jun 20, 2020 at 3:07 PM Fajar A. Nugraha <list at fajar.net> wrote:
>
> On Tue, Jun 16, 2020 at 6:26 PM Koehler, Yannick
> <yannick.koehler at hpe.com> wrote:
> >
> > Hi Fajar,
> >
> > If I use a Ubuntu image it works fine and I can run bash within the container. So I know the issue is somehow related to my imported image but I fail to understand why at this time.
> >
> > All the files in the imported tarball were uid/gid 0, I can run the /sbin/init and that script can run other binaries inside the container with no issue.  But when I try to do “exec c1 /bin/ash” in that prompt I am getting permission denied on everything, using absolute paths also didn’t work.
> >
> > I am wondering if it has to do with container being armhf while host is arm64, and somehow “exec” vs “launch/start” would fail to set things accordingly?  Or if I need to do some other tricks in my tarball?
>
> You should've mentioned arm64/armhf thing earlier.
>
> >
> > Is there a way to force install / launch an armhf ubuntu image as to validate/eliminate the armhf/arm64 variable?
>
> Try something like
>
> lxc launch --vm images:ubuntu/focal/armhf test1
>
> I haven't tested it. Might work.

I just tried it on ubuntu 20.04 arm64 on qemu. Works fine. With the
additional settings I sent earlier, ubuntu 20.04 armhf container (with
/lib/modules mounted from host) can load kernel modules.

You should probably try baby steps instead of jumping to your final
goal. If this is a copy of existing system, try adjusting it so it
runs fine as normal privileged container. Looks like you're still
having problems with that, even WITHOUT unrestricted host access and
module load issue. Fix this first. For example, if the original system
is like centos, you'd need to disable selinux.

I noticed you said "All the files in the imported tarball were uid/gid
0", but you didn't say whether the container is privileged (i.e.
security.privileged=1). Perhaps it's something that simple.

-- 
Fajar