[libvirt] [PATCH] LXC: Fix virLXCControllerSetupDevPTS() wrt user namespaces

The gid value passed to devpts has to be translated by hand as virLXCControllerSetupDevPTS() is called before setting up the user and group mappings. Otherwise devpts will use an unmapped gid and openpty() will fail within containers. Linux commit commit 23adbe12 ("fs,userns: Change inode_capable to capable_wrt_inode_uidgid") uncovered that issue. Signed-off-by: Richard Weinberger <richard@nod.at> --- src/lxc/lxc_controller.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 2d220eb..82ecf12 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1164,6 +1164,19 @@ static int virLXCControllerMain(virLXCControllerPtr ctrl) return rc; } +static uint32_t +virLXCControllerLookupUsernsMap(virDomainIdMapEntryPtr map, int num, + uint32_t src) +{ + int i; + + for (i = 0; i < num; i++) { + if (src > map[i].start && src < map[i].start + map[i].count) + return map[i].target + (src - map[i].start); + } + + return src; +} static int virLXCControllerSetupUsernsMap(virDomainIdMapEntryPtr map, @@ -1930,6 +1943,7 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl) char *opts = NULL; char *devpts = NULL; int ret = -1; + gid_t ptsgid = 5; VIR_DEBUG("Setting up private /dev/pts"); @@ -1949,10 +1963,17 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl) goto cleanup; } + if (ctrl->def->idmap.ngidmap) + ptsgid = + virLXCControllerLookupUsernsMap(ctrl->def->idmap.gidmap, + ctrl->def->idmap.ngidmap, + ptsgid); + /* XXX should we support gid=X for X!=5 for distros which use * a different gid for tty? */ - if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s", - (mount_options ? mount_options : "")) < 0) + if (virAsprintf + (&opts, "newinstance,ptmxmode=0666,mode=0620,gid=%u%s", ptsgid, + (mount_options ? mount_options : "")) < 0) goto cleanup; VIR_DEBUG("Mount devpts on %s type=tmpfs flags=%x, opts=%s", -- 2.0.1

-----Original Message----- From: libvir-list-bounces@redhat.com [mailto:libvir-list-bounces@redhat.com] On Behalf Of Richard Weinberger Sent: Tuesday, July 29, 2014 4:59 AM To: libvir-list@redhat.com Cc: Richard Weinberger; david@sigma-star.at Subject: [libvirt] [PATCH] LXC: Fix virLXCControllerSetupDevPTS() wrt user namespaces
The gid value passed to devpts has to be translated by hand as virLXCControllerSetupDevPTS() is called before setting up the user and group mappings. Otherwise devpts will use an unmapped gid and openpty() will fail within containers. Linux commit commit 23adbe12 ("fs,userns: Change inode_capable to capable_wrt_inode_uidgid") uncovered that issue.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>

Am 29.07.2014 05:45, schrieb chenhanxiao@cn.fujitsu.com:
-----Original Message----- From: libvir-list-bounces@redhat.com [mailto:libvir-list-bounces@redhat.com] On Behalf Of Richard Weinberger Sent: Tuesday, July 29, 2014 4:59 AM To: libvir-list@redhat.com Cc: Richard Weinberger; david@sigma-star.at Subject: [libvirt] [PATCH] LXC: Fix virLXCControllerSetupDevPTS() wrt user namespaces
The gid value passed to devpts has to be translated by hand as virLXCControllerSetupDevPTS() is called before setting up the user and group mappings. Otherwise devpts will use an unmapped gid and openpty() will fail within containers. Linux commit commit 23adbe12 ("fs,userns: Change inode_capable to capable_wrt_inode_uidgid") uncovered that issue.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
ping Thanks, //richard

On 07/28/2014 10:59 PM, Richard Weinberger wrote:
The gid value passed to devpts has to be translated by hand as virLXCControllerSetupDevPTS() is called before setting up the user and group mappings. Otherwise devpts will use an unmapped gid and openpty() will fail within containers. Linux commit commit 23adbe12
s/commit commit/kernel commit/
("fs,userns: Change inode_capable to capable_wrt_inode_uidgid") uncovered that issue.
Signed-off-by: Richard Weinberger <richard@nod.at> --- src/lxc/lxc_controller.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 2d220eb..82ecf12 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1164,6 +1164,19 @@ static int virLXCControllerMain(virLXCControllerPtr ctrl) return rc; }
+static uint32_t
I've changed this to 'unsigned int' to match the type used by virDomainIdMapEntry.
+virLXCControllerLookupUsernsMap(virDomainIdMapEntryPtr map, int num, + uint32_t src) +{ + int i;
This should be size_t to pass 'make syntax-check'.
+ + for (i = 0; i < num; i++) { + if (src > map[i].start && src < map[i].start + map[i].count) + return map[i].target + (src - map[i].start); + } + + return src; +}
static int virLXCControllerSetupUsernsMap(virDomainIdMapEntryPtr map,
ACK; pushed now. Jan

Am 14.08.2014 14:35, schrieb Ján Tomko:
On 07/28/2014 10:59 PM, Richard Weinberger wrote:
The gid value passed to devpts has to be translated by hand as virLXCControllerSetupDevPTS() is called before setting up the user and group mappings. Otherwise devpts will use an unmapped gid and openpty() will fail within containers. Linux commit commit 23adbe12
s/commit commit/kernel commit/
("fs,userns: Change inode_capable to capable_wrt_inode_uidgid") uncovered that issue.
Signed-off-by: Richard Weinberger <richard@nod.at> --- src/lxc/lxc_controller.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 2d220eb..82ecf12 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1164,6 +1164,19 @@ static int virLXCControllerMain(virLXCControllerPtr ctrl) return rc; }
+static uint32_t
I've changed this to 'unsigned int' to match the type used by virDomainIdMapEntry.
Why is uint32_t wrong? :)
+virLXCControllerLookupUsernsMap(virDomainIdMapEntryPtr map, int num, + uint32_t src) +{ + int i;
This should be size_t to pass 'make syntax-check'.
/me pushes 'make syntax-check' to TODO list. Thanks, //richard

On 08/14/2014 02:45 PM, Richard Weinberger wrote:
Am 14.08.2014 14:35, schrieb Ján Tomko:
On 07/28/2014 10:59 PM, Richard Weinberger wrote:
The gid value passed to devpts has to be translated by hand as virLXCControllerSetupDevPTS() is called before setting up the user and group mappings. Otherwise devpts will use an unmapped gid and openpty() will fail within containers. Linux commit commit 23adbe12
s/commit commit/kernel commit/
("fs,userns: Change inode_capable to capable_wrt_inode_uidgid") uncovered that issue.
Signed-off-by: Richard Weinberger <richard@nod.at> --- src/lxc/lxc_controller.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 2d220eb..82ecf12 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1164,6 +1164,19 @@ static int virLXCControllerMain(virLXCControllerPtr ctrl) return rc; }
+static uint32_t
I've changed this to 'unsigned int' to match the type used by virDomainIdMapEntry.
Why is uint32_t wrong? :)
Not really wrong, uint32_t should have the same range as unsigned int on Linux. I just wanted them to be consistent. Jan
participants (3)
-
chenhanxiao@cn.fujitsu.com
-
Ján Tomko
-
Richard Weinberger