[libvirt] [PATCH v2 1/2] LXC: fix the problem that libvirt lxc fail to start on latest kernel
After kernel commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942 vfs: Lock in place mounts from more privileged users, unprivileged user has no rights to move the mounts that inherited from parent mountns. we use this feature to move the /stateDir/domain-name.{dev, devpts} to the /dev/ and /dev/pts directroy of container. this commit breaks libvirt lxc. this patch changes the behavior to bind these mounts when user namespace is enabled and move these mounts when user namespace is disabled. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_container.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 2bdf957..3d9b491 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -958,6 +958,7 @@ static int lxcContainerMountFSDev(virDomainDefPtr def, { int ret = -1; char *path = NULL; + int flags = def->idmap.nuidmap ? MS_BIND : MS_MOVE; VIR_DEBUG("Mount /dev/ stateDir=%s", stateDir); @@ -971,9 +972,10 @@ static int lxcContainerMountFSDev(virDomainDefPtr def, goto cleanup; } - VIR_DEBUG("Trying to move %s to /dev", path); + VIR_DEBUG("Trying to %s %s to /dev", def->idmap.nuidmap ? + "bind" : "move", path); - if (mount(path, "/dev", NULL, MS_MOVE, NULL) < 0) { + if (mount(path, "/dev", NULL, flags, NULL) < 0) { virReportSystemError(errno, _("Failed to mount %s on /dev"), path); @@ -992,6 +994,7 @@ static int lxcContainerMountFSDevPTS(virDomainDefPtr def, { int ret; char *path = NULL; + int flags = def->idmap.nuidmap ? MS_BIND : MS_MOVE; VIR_DEBUG("Mount /dev/pts stateDir=%s", stateDir); @@ -1007,10 +1010,10 @@ static int lxcContainerMountFSDevPTS(virDomainDefPtr def, goto cleanup; } - VIR_DEBUG("Trying to move %s to /dev/pts", path); + VIR_DEBUG("Trying to %s %s to /dev/pts", def->idmap.nuidmap ? + "bind" : "move", path); - if ((ret = mount(path, "/dev/pts", - NULL, MS_MOVE, NULL)) < 0) { + if ((ret = mount(path, "/dev/pts", NULL, flags, NULL)) < 0) { virReportSystemError(errno, _("Failed to mount %s on /dev/pts"), path); -- 1.8.3.1
Also after commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942 vfs: Lock in place mounts from more privileged users, unprivileged user has no rights to umount the mounts that inherited from parent mountns. right now, I have no good idea to fix this problem, we need to do more research. this patch just skip unmounting these mounts for shared root. BTW, I think when libvirt lxc enables user namespace, the configuation that shares root with host is very rara. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_container.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 3d9b491..fbce8e8 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1664,7 +1664,9 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, if (lxcContainerPivotRoot(root) < 0) goto cleanup; - if (STREQ(root->src, "/") && + /* FIXME: we should find a way to unmount these mounts for container + * even user namespace is enabled. */ + if (STREQ(root->src, "/") && (!vmDef->idmap.nuidmap) && lxcContainerUnmountForSharedRoot(stateDir, vmDef->name) < 0) goto cleanup; -- 1.8.3.1
On 11/20/2013 10:11 AM, Gao feng wrote:
Also after commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942 vfs: Lock in place mounts from more privileged users,
unprivileged user has no rights to umount the mounts that inherited from parent mountns.
right now, I have no good idea to fix this problem, we need to do more research. this patch just skip unmounting these mounts for shared root.
BTW, I think when libvirt lxc enables user namespace, the configuation that shares root with host is very rara.
s/rara/rare
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_container.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 3d9b491..fbce8e8 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1664,7 +1664,9 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, if (lxcContainerPivotRoot(root) < 0) goto cleanup;
- if (STREQ(root->src, "/") && + /* FIXME: we should find a way to unmount these mounts for container + * even user namespace is enabled. */ + if (STREQ(root->src, "/") && (!vmDef->idmap.nuidmap) && lxcContainerUnmountForSharedRoot(stateDir, vmDef->name) < 0) goto cleanup;
On Wed, Nov 20, 2013 at 10:11:09AM +0800, Gao feng wrote:
Also after commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942 vfs: Lock in place mounts from more privileged users,
unprivileged user has no rights to umount the mounts that inherited from parent mountns.
right now, I have no good idea to fix this problem, we need to do more research. this patch just skip unmounting these mounts for shared root.
BTW, I think when libvirt lxc enables user namespace, the configuation that shares root with host is very rara.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_container.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 3d9b491..fbce8e8 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1664,7 +1664,9 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, if (lxcContainerPivotRoot(root) < 0) goto cleanup;
- if (STREQ(root->src, "/") && + /* FIXME: we should find a way to unmount these mounts for container + * even user namespace is enabled. */ + if (STREQ(root->src, "/") && (!vmDef->idmap.nuidmap) && lxcContainerUnmountForSharedRoot(stateDir, vmDef->name) < 0) goto cleanup;
ACK, this sucks but we have no choice for now. Fortunately not unmounting these things isn't really harmful - just clutter in /proc/mounts. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Wed, Nov 20, 2013 at 10:11:08AM +0800, Gao feng wrote:
After kernel commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942 vfs: Lock in place mounts from more privileged users,
unprivileged user has no rights to move the mounts that inherited from parent mountns. we use this feature to move the /stateDir/domain-name.{dev, devpts} to the /dev/ and /dev/pts directroy of container. this commit breaks libvirt lxc.
this patch changes the behavior to bind these mounts when user namespace is enabled and move these mounts when user namespace is disabled.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_container.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
ACK, and pushed. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
Gao feng