3:49 a.m.
On 27.02.2014 16:32, Stephan Sachse wrote:
On Thu, Feb 27, 2014 at 3:07 PM, Dariusz Michaluk
<d.michaluk(a)samsung.com> wrote:
> On 26.02.2014 17:59, Stephan Sachse wrote:
>>>
>>> # chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer
>>
>> you must "shift" the uids for the container 0 -> 666, 1 -> 667,
2 ->
>> 668. there is a tool for this: uidmapshift
>
> I prepared two containers, the first I used chown, in the second
> uidmapshift, here is the results.
>
> ./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer
> UIDs 666 - 666
> GIDs 1001 - 2000
>
> foo 28919 28917 0 14:42 ? 00:00:00 /sbin/init
> 747 28950 28919 0 14:42 ? 00:00:00 /bin/dbus-daemon
>
> ./uidmapshift -r /var/lib/libvirt/filesystems/test
> UIDs 888 - 1776
> GIDs 1002 - 2001
>
> foo1 29298 29296 0 14:45 ? 00:00:00 /sbin/init
> 969 29329 29298 0 14:45 ? 00:00:00 /bin/dbus-daemon
>
> As you can see root is mapped to foo or foo1 user and dbus user is mapped to
> 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) + uid=888(foo1)).
> Mapping looks properly. Why use uidmapshift ?, it still performs chown.
> Could you explain more?
# ls -ln uidmapshift-test/
-rw-r--r-- 1 0 0 0 27. Feb 15:50 uid0
-rw-r--r-- 1 81 81 0 27. Feb 15:50 uid81
# /root/uidmapshift -b uidmapshift-test/ 0 100000 1000
# ls -ln uidmapshift-test/
-rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid0
-rw-r--r-- 1 100081 100081 0 27. Feb 15:50 uid81
correctly mapped 0 to 100000 with a range of 1000
# chown 100000.100000 uidmapshift-test/ -R
# ls -ln uidmapshift-test/
-rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid0
-rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid81
wrong mapping for file uid81
look at the ls -l output from inside the container! btw:
/bin/dbus-daemon is root.root on my system (fedora20)
# rpm -qlv dbus | grep 'bin/dbus-daemon'
-rwxr-xr-x 1 root root 445104 Dez 26 10:26
/bin/dbus-daemon
fedora20 inside the container (999=ssh_keys)
# ls -ln /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 0 999 227 18. Feb 12:56 /etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 0 999 1679 18. Feb 12:56 /etc/ssh/ssh_host_rsa_key
fedora20 outside the container
ls -l etc/ssh/ssh_host_rsa_key etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 100000 999 227 18. Feb 13:56 etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 100000 999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key
i have a mapping: 0 to 100000 range 1
if the range is 10000. it must looks like this from the outside
ls -l etc/ssh/ssh_host_rsa_key etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 100000 100999 227 18. Feb 13:56 etc/ssh/ssh_host_ecdsa_key
-rw-r----- 1 100000 100999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key
and as before from the inside
>> some tools may not work, because of the missing file capabilities.
>> chown removes all file capabilities! try ping as user inside the
>> container. (missing file cap cap_net_admin,cap_net_raw)
>
> # getcap /usr/bin/ping
> # ping localhost
> PING localhost (127.0.0.1) 56(84) bytes of data.
> 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms
> 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms
> ^C
> --- localhost ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms
>
> Yes you are right, chown removed capabilities, but ping still works
> properly.
try it as user and not as root
# su -s/bin/bash nobody -c 'ping localhost'
ping: icmp open socket: Operation not permitted
fix this from outside the container
chroot /path/to/rootfs
rpm --qf "[%{FILECAPS} %{FILENAMES}\n]" -qa | grep ^= | sed -e
's/^=/setcap/'
and paste the output into your terminal
/stephan
Yes you are right, thank you for the clear and simple explanation, now I
understand.
--
Dariusz Michaluk
Samsung R&D Institute Poland
Samsung Electronics
d.michaluk(a)samsung.com