Re: [libvirt] LXC broken on Linux >= 3.15
On Mon, Jul 28, 2014 at 04:25:56PM +0200, Richard Weinberger wrote:
Hi!
Kernel commit 23adbe12 ("fs,userns: Change inode_capable to
capable_wrt_inode_uidgid")
uncovered a libvirt-lxc issue.
Starting with that commit the kernel correctly checks also the gid of an inode.
Sadly this change breaks libvirt-lxc in a way such that openpty() will always fail
with -EPERM within a container. Therefore ssh and other programs are no longer usable.
Libvirt's virLXCControllerSetupDevPTS() has a hardcoded mount
string for mounting devpts, namely
"newinstance,ptmxmode=0666,mode=0620,gid=5",
devpts correctly translates the uid and gid while mounting but libvirt
mounts devpts _before_ setting up the uid/gid mappings.
Therefore the internal gid for the new devpts instance is still 5 instead the mapped gid
and the new check in the kernel will always fail.
We have two options to fix that:
a) virLXCControllerSetupDevPTS() translates the gid (5) by hand and passes the correct
value to devpts. (IMHO hacky)
You mean that instead of passing the value '5', if the guest
GIDs had been remapped to start at 1000, we would pass in
'1005' to mount ? I don't think that's hacky - it seems like
a perfectly sensible fix to do.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|