
Am 01.07.2013 04:26, schrieb Gao feng:
Well, given that we're at rc2 now & I'm still unclear about how some aspects of the userns setup is working, I'm afraid we'll have to wait until 1.1.1 for the userns LXC code to merge. I'll aim todo it next week, so that we have plenty of time for further testing before the 1.1.1 release.
Ok, I think Richard had tested the userns support. Hi Richard, can you give me your ack or tested-by?
I'm still facing one userns related issue. Create a container like this one: ---cut--- <domain type='lxc'> <name>testi</name> <memory>102400</memory> <os> <type>exe</type> <init>/bin/bash</init> </os> <idmap> <uid start='0' target='100000' count='100000'/> <gid start='0' target='100000' count='100000'/> </idmap> <devices> <console type='pty'/> <filesystem type='mount'> <source dir='/some/where/rootfs'/> <target dir='/'/> </filesystem> <interface type='network'> <source network='default'/> <mac address="52:54:00:be:49:be"/> </interface> </devices> </domain> ---cut--- After creating it attach to it's console, you'll find bash as pid 1. And you'll find that /proc/1/ is not fully uid/gid-mapped: ---cut--- # ls -la /proc/1/ total 0 dr-xr-xr-x 8 root root 0 Jul 1 06:06 . dr-xr-xr-x 74 nobody nogroup 0 Jul 1 06:06 .. dr-xr-xr-x 2 root root 0 Jul 1 06:06 attr -r-------- 1 nobody nogroup 0 Jul 1 06:06 auxv -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 cgroup --w------- 1 nobody nogroup 0 Jul 1 06:06 clear_refs -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 cmdline -rw-r--r-- 1 nobody nogroup 0 Jul 1 06:06 comm -rw-r--r-- 1 nobody nogroup 0 Jul 1 06:06 coredump_filter -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 cpuset lrwxrwxrwx 1 nobody nogroup 0 Jul 1 06:06 cwd -> / -r-------- 1 nobody nogroup 0 Jul 1 06:06 environ lrwxrwxrwx 1 nobody nogroup 0 Jul 1 06:06 exe -> /bin/bash dr-x------ 2 nobody nogroup 0 Jul 1 06:06 fd dr-x------ 2 nobody nogroup 0 Jul 1 06:06 fdinfo -rw-r--r-- 1 nobody nogroup 0 Jul 1 06:06 gid_map -r-------- 1 nobody nogroup 0 Jul 1 06:06 io -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 limits -rw-r--r-- 1 nobody nogroup 0 Jul 1 06:06 loginuid -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 maps -rw------- 1 nobody nogroup 0 Jul 1 06:06 mem -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 mountinfo -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 mounts -r-------- 1 nobody nogroup 0 Jul 1 06:06 mountstats dr-xr-xr-x 10 root root 0 Jul 1 06:06 net dr-x--x--x 2 nobody nogroup 0 Jul 1 06:06 ns -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 numa_maps -rw-r--r-- 1 nobody nogroup 0 Jul 1 06:06 oom_adj -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 oom_score -rw-r--r-- 1 nobody nogroup 0 Jul 1 06:06 oom_score_adj -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 pagemap -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 personality -rw-r--r-- 1 nobody nogroup 0 Jul 1 06:06 projid_map lrwxrwxrwx 1 nobody nogroup 0 Jul 1 06:06 root -> / -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 schedstat -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 sessionid -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 smaps -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 stack -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 stat -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 statm -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 status -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 syscall dr-xr-xr-x 3 root root 0 Jul 1 06:06 task -rw-r--r-- 1 nobody nogroup 0 Jul 1 06:06 uid_map -r--r--r-- 1 nobody nogroup 0 Jul 1 06:06 wchan ---cut--- Systemd suffers from this issue because it needs to read from /proc/1/environ. After one exec /proc seems to be fixed: ---cut--- # cat /proc/1/environ cat: /proc/1/environ: Permission denied # exec /bin/bash # cat /proc/1/environ TERM=linuxPATH=/bin:/sbinPWD=/container_uuid=fabc42f8-cdee-461c-9a21-93902ab52b40SHLVL=0LIBVIRT_LXC_UUID=fabc42f8-cdee-461c-9a21-93902ab52b40LIBVIRT_LXC_NAME=testicontainer=lxc-libvirt ---cut--- If I turn lxcContainerDropCapabilities() into a NOP the permissions in /proc are no longer clobbered. Another (maybe related issue), No capabilities seem to get dropped. (Of course tested where lxcContainerDropCapabilities() is not a NOP :) ) ---cut--- # /usr/bin/pscap -a ppid pid name command capabilities 0 1 root bash full ---cut--- Any ideas what's going on here? Thanks, //richard