8:11 p.m.
After kernel commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942
vfs: Lock in place mounts from more privileged users,
unprivileged user has no rights to move the mounts that
inherited from parent mountns. we use this feature to move
the /stateDir/domain-name.{dev, devpts} to the /dev/ and
/dev/pts directroy of container. this commit breaks libvirt lxc.
this patch changes the behavior to bind these mounts when
user namespace is enabled and move these mounts when user
namespace is disabled.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 2bdf957..3d9b491 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -958,6 +958,7 @@ static int lxcContainerMountFSDev(virDomainDefPtr def,
{
int ret = -1;
char *path = NULL;
+ int flags = def->idmap.nuidmap ? MS_BIND : MS_MOVE;
VIR_DEBUG("Mount /dev/ stateDir=%s", stateDir);
@@ -971,9 +972,10 @@ static int lxcContainerMountFSDev(virDomainDefPtr def,
goto cleanup;
}
- VIR_DEBUG("Trying to move %s to /dev", path);
+ VIR_DEBUG("Trying to %s %s to /dev", def->idmap.nuidmap ?
+ "bind" : "move", path);
- if (mount(path, "/dev", NULL, MS_MOVE, NULL) < 0) {
+ if (mount(path, "/dev", NULL, flags, NULL) < 0) {
virReportSystemError(errno,
_("Failed to mount %s on /dev"),
path);
@@ -992,6 +994,7 @@ static int lxcContainerMountFSDevPTS(virDomainDefPtr def,
{
int ret;
char *path = NULL;
+ int flags = def->idmap.nuidmap ? MS_BIND : MS_MOVE;
VIR_DEBUG("Mount /dev/pts stateDir=%s", stateDir);
@@ -1007,10 +1010,10 @@ static int lxcContainerMountFSDevPTS(virDomainDefPtr def,
goto cleanup;
}
- VIR_DEBUG("Trying to move %s to /dev/pts", path);
+ VIR_DEBUG("Trying to %s %s to /dev/pts", def->idmap.nuidmap ?
+ "bind" : "move", path);
- if ((ret = mount(path, "/dev/pts",
- NULL, MS_MOVE, NULL)) < 0) {
+ if ((ret = mount(path, "/dev/pts", NULL, flags, NULL)) < 0) {
virReportSystemError(errno,
_("Failed to mount %s on /dev/pts"),
path);
--
1.8.3.1
8:11 p.m.
New subject: [libvirt] [PATCH v2 2/2] LXC: don't unmount mounts for shared root
Also after commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942
vfs: Lock in place mounts from more privileged users,
unprivileged user has no rights to umount the mounts that
inherited from parent mountns.
right now, I have no good idea to fix this problem, we need
to do more research. this patch just skip unmounting these
mounts for shared root.
BTW, I think when libvirt lxc enables user namespace, the
configuation that shares root with host is very rara.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 3d9b491..fbce8e8 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1664,7 +1664,9 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
if (lxcContainerPivotRoot(root) < 0)
goto cleanup;
- if (STREQ(root->src, "/") &&
+ /* FIXME: we should find a way to unmount these mounts for container
+ * even user namespace is enabled. */
+ if (STREQ(root->src, "/") && (!vmDef->idmap.nuidmap)
&&
lxcContainerUnmountForSharedRoot(stateDir, vmDef->name) < 0)
goto cleanup;
--
1.8.3.1
9:05 p.m.
New subject: [libvirt] [PATCH v2 2/2] LXC: don't unmount mounts for shared root
On 11/20/2013 10:11 AM, Gao feng wrote:
Also after commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942
vfs: Lock in place mounts from more privileged users,
unprivileged user has no rights to umount the mounts that
inherited from parent mountns.
right now, I have no good idea to fix this problem, we need
to do more research. this patch just skip unmounting these
mounts for shared root.
BTW, I think when libvirt lxc enables user namespace, the
configuation that shares root with host is very rara.
s/rara/rare
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 3d9b491..fbce8e8 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1664,7 +1664,9 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
if (lxcContainerPivotRoot(root) < 0)
goto cleanup;
- if (STREQ(root->src, "/") &&
+ /* FIXME: we should find a way to unmount these mounts for container
+ * even user namespace is enabled. */
+ if (STREQ(root->src, "/") && (!vmDef->idmap.nuidmap)
&&
lxcContainerUnmountForSharedRoot(stateDir, vmDef->name) < 0)
goto cleanup;
10:48 a.m.
New subject: [libvirt] [PATCH v2 2/2] LXC: don't unmount mounts for shared root
On Wed, Nov 20, 2013 at 10:11:09AM +0800, Gao feng wrote:
Also after commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942
vfs: Lock in place mounts from more privileged users,
unprivileged user has no rights to umount the mounts that
inherited from parent mountns.
right now, I have no good idea to fix this problem, we need
to do more research. this patch just skip unmounting these
mounts for shared root.
BTW, I think when libvirt lxc enables user namespace, the
configuation that shares root with host is very rara.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 3d9b491..fbce8e8 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1664,7 +1664,9 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
if (lxcContainerPivotRoot(root) < 0)
goto cleanup;
- if (STREQ(root->src, "/") &&
+ /* FIXME: we should find a way to unmount these mounts for container
+ * even user namespace is enabled. */
+ if (STREQ(root->src, "/") && (!vmDef->idmap.nuidmap)
&&
lxcContainerUnmountForSharedRoot(stateDir, vmDef->name) < 0)
goto cleanup;
ACK, this sucks but we have no choice for now. Fortunately not unmounting
these things isn't really harmful - just clutter in /proc/mounts.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:47 a.m.
On Wed, Nov 20, 2013 at 10:11:08AM +0800, Gao feng wrote:
After kernel commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942
vfs: Lock in place mounts from more privileged users,
unprivileged user has no rights to move the mounts that
inherited from parent mountns. we use this feature to move
the /stateDir/domain-name.{dev, devpts} to the /dev/ and
/dev/pts directroy of container. this commit breaks libvirt lxc.
this patch changes the behavior to bind these mounts when
user namespace is enabled and move these mounts when user
namespace is disabled.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
ACK, and pushed.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4015
days inactive
4021
days old
4 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Gao feng