[libvirt-users] libvirt 1.0.3 Vs 1.0.4 / cgroup devices

Hi there, I am using libvirt with lxc to create fedora 16 & 18 containers on fedora 18 host. first I did the setup with libvirt 1.0.3 and everything worked fine, then after upgrading to libvirt 1.0.4, I could not create character device on the guests : Test on the guest1 : # ls -l /dev total 0 lrwxrwxrwx. 1 root root 10 Apr 17 21:18 console -> /dev/pts/0 lrwxrwxrwx. 1 root root 11 Apr 17 21:18 core -> /proc/kcore lrwxrwxrwx. 1 root root 13 Apr 17 21:18 fd -> /proc/self/fd crw-rw-rw-. 1 root root 1, 7 Apr 17 21:18 full drwxr-xr-x. 2 root root 0 Apr 17 21:18 hugepages prw-------. 1 root root 0 Apr 17 21:18 initctl srw-rw-rw-. 1 root root 0 Apr 17 21:18 log drwxrwxrwt. 2 root root 40 Apr 17 21:18 mqueue crw-rw-rw-. 1 root root 1, 3 Apr 17 21:18 null crw-rw-rw-. 1 root root 5, 2 Apr 18 10:31 ptmx drwxr-xr-x. 2 root root 0 Apr 17 21:18 pts crw-r--r--. 1 root root 1, 8 Apr 17 21:19 random drwxrwxrwt. 2 root root 40 Apr 17 21:18 shm lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stderr -> /proc/self/fd/2 lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stdin -> /proc/self/fd/0 lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stdout -> /proc/self/fd/1 lrwxrwxrwx. 1 root root 10 Apr 17 21:18 tty1 -> /dev/pts/0 crw-rw-rw-. 1 root root 1, 9 Apr 17 21:18 urandom crw-rw-rw-. 1 root root 1, 5 Apr 17 21:18 zero # rm -f /dev/random (successful) # mknod random c 1 8 mknod: `random': Operation not permitted Config on the host : knowing that selinux is set to permissive and c 1:8 rwm is in the cgroup devices list of the guest1 # cat /sys/fs/cgroup/devices/ libvirt/lxc/guest1/devices. list c 1:3 rwm c 1:5 rwm c 1:7 rwm c 1:8 rwm c 1:9 rwm c 5:0 rwm c 5:2 rwm c 10:229 rwm c 136:* rwm is this a change that was introduced intentially on 1.0.4 ? if yes, how can I make it work ? please advice Thank you in advance Mohamed

On Thu, Apr 18, 2013 at 11:11:21AM +0200, Mohamed Larabi wrote:
Hi there,
I am using libvirt with lxc to create fedora 16 & 18 containers on fedora 18 host.
first I did the setup with libvirt 1.0.3 and everything worked fine, then after upgrading to libvirt 1.0.4, I could not create character device on the guests :
Test on the guest1 :
# ls -l /dev total 0 lrwxrwxrwx. 1 root root 10 Apr 17 21:18 console -> /dev/pts/0 lrwxrwxrwx. 1 root root 11 Apr 17 21:18 core -> /proc/kcore lrwxrwxrwx. 1 root root 13 Apr 17 21:18 fd -> /proc/self/fd crw-rw-rw-. 1 root root 1, 7 Apr 17 21:18 full drwxr-xr-x. 2 root root 0 Apr 17 21:18 hugepages prw-------. 1 root root 0 Apr 17 21:18 initctl srw-rw-rw-. 1 root root 0 Apr 17 21:18 log drwxrwxrwt. 2 root root 40 Apr 17 21:18 mqueue crw-rw-rw-. 1 root root 1, 3 Apr 17 21:18 null crw-rw-rw-. 1 root root 5, 2 Apr 18 10:31 ptmx drwxr-xr-x. 2 root root 0 Apr 17 21:18 pts crw-r--r--. 1 root root 1, 8 Apr 17 21:19 random drwxrwxrwt. 2 root root 40 Apr 17 21:18 shm lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stderr -> /proc/self/fd/2 lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stdin -> /proc/self/fd/0 lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stdout -> /proc/self/fd/1 lrwxrwxrwx. 1 root root 10 Apr 17 21:18 tty1 -> /dev/pts/0 crw-rw-rw-. 1 root root 1, 9 Apr 17 21:18 urandom crw-rw-rw-. 1 root root 1, 5 Apr 17 21:18 zero
# rm -f /dev/random (successful)
# mknod random c 1 8 mknod: `random': Operation not permitted
Libvirt does not allow the 'mknod' capability within containers. Any devices that have been assigned to the container will have device nodes pre-created in /dev by libvirt itself. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

Hi Daniel, knowing that the /dev/random (c 1:8 rwm) device is assigned to the containers, the problem is : - with libvirt 1.0.3: inside the container, I can do rm -f /dev/random; mknod /dev/random c 1 8 (which works fine) - with libvirt 1.0.4: rm -f /dev/random; mknod /dev/random c 1 8 is not working (mknod: `random': Operation not permitted) why is it allowed in 1.0.3 and not in 1.0.4 ? Thanks Mohamed ----- Mail original -----
De: "Daniel P. Berrange" <berrange@redhat.com> À: "Mohamed Larabi" <mohamed.larabi@inria.fr> Cc: libvirt-users@redhat.com Envoyé: Jeudi 18 Avril 2013 11:22:17 Objet: Re: [libvirt-users] libvirt 1.0.3 Vs 1.0.4 / cgroup devices
On Thu, Apr 18, 2013 at 11:11:21AM +0200, Mohamed Larabi wrote:
Hi there,
I am using libvirt with lxc to create fedora 16 & 18 containers on fedora 18 host.
first I did the setup with libvirt 1.0.3 and everything worked fine, then after upgrading to libvirt 1.0.4, I could not create character device on the guests :
Test on the guest1 :
# ls -l /dev total 0 lrwxrwxrwx. 1 root root 10 Apr 17 21:18 console -> /dev/pts/0 lrwxrwxrwx. 1 root root 11 Apr 17 21:18 core -> /proc/kcore lrwxrwxrwx. 1 root root 13 Apr 17 21:18 fd -> /proc/self/fd crw-rw-rw-. 1 root root 1, 7 Apr 17 21:18 full drwxr-xr-x. 2 root root 0 Apr 17 21:18 hugepages prw-------. 1 root root 0 Apr 17 21:18 initctl srw-rw-rw-. 1 root root 0 Apr 17 21:18 log drwxrwxrwt. 2 root root 40 Apr 17 21:18 mqueue crw-rw-rw-. 1 root root 1, 3 Apr 17 21:18 null crw-rw-rw-. 1 root root 5, 2 Apr 18 10:31 ptmx drwxr-xr-x. 2 root root 0 Apr 17 21:18 pts crw-r--r--. 1 root root 1, 8 Apr 17 21:19 random drwxrwxrwt. 2 root root 40 Apr 17 21:18 shm lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stderr -> /proc/self/fd/2 lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stdin -> /proc/self/fd/0 lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stdout -> /proc/self/fd/1 lrwxrwxrwx. 1 root root 10 Apr 17 21:18 tty1 -> /dev/pts/0 crw-rw-rw-. 1 root root 1, 9 Apr 17 21:18 urandom crw-rw-rw-. 1 root root 1, 5 Apr 17 21:18 zero
# rm -f /dev/random (successful)
# mknod random c 1 8 mknod: `random': Operation not permitted
Libvirt does not allow the 'mknod' capability within containers. Any devices that have been assigned to the container will have device nodes pre-created in /dev by libvirt itself.
Daniel -- |: http://berrange.com -o- | http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- | http://virt-manager.org :| |: http://autobuild.org -o- | http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- | http://live.gnome.org/gtk-vnc :|

On Thu, Apr 18, 2013 at 11:31:56AM +0200, Mohamed Larabi wrote:
Hi Daniel,
knowing that the /dev/random (c 1:8 rwm) device is assigned to the containers, the problem is : - with libvirt 1.0.3: inside the container, I can do rm -f /dev/random; mknod /dev/random c 1 8 (which works fine) - with libvirt 1.0.4: rm -f /dev/random; mknod /dev/random c 1 8 is not working (mknod: `random': Operation not permitted)
why is it allowed in 1.0.3 and not in 1.0.4 ?
Because in 1.0.4 we fixed the bug that mistakenly allowed mknod in earlier releases. We were already blocking users from accessing any other devices via cgroups, but we mistakenly didn't forbid mknod via the system capabilities which is more secure than cgroups. Just don't delete the devices that are pre-populated by libvirt. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange
-
Mohamed Larabi