Re: [Lxc-users] [PATCH] Re: read only rootfs

2011-07-19 Thread Michael H. Warfield 
On Mon, 2011-07-18 at 07:31 -0500, Serge E. Hallyn wrote: 
 Quoting Michael H. Warfield (m...@wittsend.com):
  Unfortunately, I also still find that if there's a -o remount,ro in the
  halt/reboot script, it still sets /dev/pts to ro and that still
  propagates to the host and to the other containers triggering random
 
 Wow.
 
 Did a quick grep;  is there any reason why lxc-start doesn't turn on
 MS_SLAVE for the client's root?  Something like:
 
 From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001
 From: Serge Hallyn serge.hal...@ubuntu.com
 Date: Mon, 18 Jul 2011 07:29:57 -0500
 Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE
 
 Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
 ---
  src/lxc/conf.c |5 +
  1 files changed, 5 insertions(+), 0 deletions(-)
 
 diff --git a/src/lxc/conf.c b/src/lxc/conf.c
 index 2eb598b..d36fe47 100644
 --- a/src/lxc/conf.c
 +++ b/src/lxc/conf.c
 @@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
   return -1;
   }
  
 + if (mount(rootfs-path, rootfs-path, none, MS_SLAVE, 0)) {
 + ERROR(failed to turn child rootfs into slave);
 + return -1;
 + }
 +
   DEBUG(mounted '%s' on '%s', rootfs-path, rootfs-mount);
  
   return 0;
 -- 
 1.7.4.1

Problem...

  lxc-start 1311083210.678 ERRORlxc_conf - failed to turn child rootfs 
into slave
  lxc-start 1311083210.678 ERRORlxc_conf - failed to setup rootfs for 
'Alcove'
  lxc-start 1311083210.678 ERRORlxc_start - failed to setup the 
container
  lxc-start 1311083210.679 ERRORlxc_sync - invalid sequence number 1. 
expected 2
  lxc-start 1311083210.679 ERRORlxc_start - failed to spawn 'Alcove'


This may be do to the way I have my rootfs set up.  Mine are bind mounts
from a private area to the common mount point.  I've noticed that inside
the containers, I see my root file system show up twice like this (over
on one of my production machines):

[mhw@Berserker ~]$ df
Filesystem   1K-blocks  Used Available Use% Mounted on
rootfs   480719056 404550544  51749312  89% /
/dev/sdb1480719056 404550544  51749312  89% /
/dev/sdc1480719056202816 456097040   1% /export
/dev/sda7693727244 624715768  33772100  95% /srv/shared
none   1030612 0   1030612   0% /dev/shm

[mhw@berserker-base ~]$ cat /srv/lxc/config/Berserker.fstab 
/srv/lxc/private/Berserker /srv/lxc/rootfs   none bind 0 0

/export   /srv/lxc/rootfs/exportnone bind 0 0
/home/shared  /srv/lxc/rootfs/srv/sharednone bind 0 0


Maybe not such a good idea (mine)?

Regards,
Mike

  The kernel should also prohibit, totally, the propagation of remount
 
 The kernel doesn't know about containers, so it's up to userspace :)
 
 -serge
 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is sure of it!


signature.asc
Description: This is a digitally signed message part
--
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] [PATCH] Re: read only rootfs

2011-07-19 Thread Michael H. Warfield 
On Tue, 2011-07-19 at 09:55 -0400, Michael H. Warfield wrote: 
 On Mon, 2011-07-18 at 07:31 -0500, Serge E. Hallyn wrote: 
  Quoting Michael H. Warfield (m...@wittsend.com):
   Unfortunately, I also still find that if there's a -o remount,ro in the
   halt/reboot script, it still sets /dev/pts to ro and that still
   propagates to the host and to the other containers triggering random
  
  Wow.
  
  Did a quick grep;  is there any reason why lxc-start doesn't turn on
  MS_SLAVE for the client's root?  Something like:
  
  From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001
  From: Serge Hallyn serge.hal...@ubuntu.com
  Date: Mon, 18 Jul 2011 07:29:57 -0500
  Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE
  
  Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
  ---
   src/lxc/conf.c |5 +
   1 files changed, 5 insertions(+), 0 deletions(-)
  
  diff --git a/src/lxc/conf.c b/src/lxc/conf.c
  index 2eb598b..d36fe47 100644
  --- a/src/lxc/conf.c
  +++ b/src/lxc/conf.c
  @@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs 
  *rootfs)
  return -1;
  }
   
  +   if (mount(rootfs-path, rootfs-path, none, MS_SLAVE, 0)) {
  +   ERROR(failed to turn child rootfs into slave);
  +   return -1;
  +   }
  +
  DEBUG(mounted '%s' on '%s', rootfs-path, rootfs-mount);
   
  return 0;
  -- 
  1.7.4.1
 
 Problem...
 
   lxc-start 1311083210.678 ERRORlxc_conf - failed to turn child 
 rootfs into slave
   lxc-start 1311083210.678 ERRORlxc_conf - failed to setup rootfs for 
 'Alcove'
   lxc-start 1311083210.678 ERRORlxc_start - failed to setup the 
 container
   lxc-start 1311083210.679 ERRORlxc_sync - invalid sequence number 1. 
 expected 2
   lxc-start 1311083210.679 ERRORlxc_start - failed to spawn 'Alcove'
 
 
 This may be do to the way I have my rootfs set up.  Mine are bind mounts
 from a private area to the common mount point.  I've noticed that inside
 the containers, I see my root file system show up twice like this (over
 on one of my production machines):

Or, maybe not.  Tried specifying the private directory as the rootfs
mount point directly and still got the same error, no bind mount in
fstab involved.  :-P

Mike

Snip

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is sure of it!


signature.asc
Description: This is a digitally signed message part
--
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] [PATCH] Re: read only rootfs

2011-07-19 Thread Michael H. Warfield 
On Mon, 2011-07-18 at 07:31 -0500, Serge E. Hallyn wrote: 
 Quoting Michael H. Warfield (m...@wittsend.com):
  Unfortunately, I also still find that if there's a -o remount,ro in the
  halt/reboot script, it still sets /dev/pts to ro and that still
  propagates to the host and to the other containers triggering random
 
 Wow.
 
 Did a quick grep;  is there any reason why lxc-start doesn't turn on
 MS_SLAVE for the client's root?  Something like:
 
 From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001
 From: Serge Hallyn serge.hal...@ubuntu.com
 Date: Mon, 18 Jul 2011 07:29:57 -0500
 Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE
 
 Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
 ---
  src/lxc/conf.c |5 +
  1 files changed, 5 insertions(+), 0 deletions(-)
 
 diff --git a/src/lxc/conf.c b/src/lxc/conf.c
 index 2eb598b..d36fe47 100644
 --- a/src/lxc/conf.c
 +++ b/src/lxc/conf.c
 @@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
   return -1;
   }
  
 + if (mount(rootfs-path, rootfs-path, none, MS_SLAVE, 0)) {
 + ERROR(failed to turn child rootfs into slave);
 + return -1;
 + }
 +
   DEBUG(mounted '%s' on '%s', rootfs-path, rootfs-mount);
  
   return 0;
 -- 
 1.7.4.1

I poked at this some more.

First, I stuck a perror in that if check right after the mount to find
out what it was griping about...

[root@forest SPECS]# lxc-start --name Alcove
setup_rootfs, MS_SLAVE: Invalid argument
lxc-start: failed to turn child rootfs into slave
lxc-start: failed to setup rootfs for 'Alcove'
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'Alcove'

Yuck.  Invalid argument?  Then I started thinking...  Wasn't something
missing in that command.  Wouldn't you need those flags to be
MS_REMOUNT | MS_SLAVE since you're remounting?  Tried that.  No joy.
Same error.

Sooo...  I looked up at mount_rootfs called from the stanza above it.
Tried adding the MS_SLAVE to the mount command proper in
mount_rootfs_dir and commenting out the remount block entirely.  The
file system mounts properly but adding MS_SLAVE didn't solve the
problem.  :-P  That should have been the right spot.

Then I noticed a discrepancy.  In mount_rootfs_dir mount it called with
path and target while back in setup_rootfs the remount is calling it
with path and path.  Ah ha...  So I changed that mount to read like
this:

if (mount(rootfs-path, rootfs-mount, none, MS_REMOUNT|MS_SLAVE, 0)) {

Again.  Fixed the code but not the problem.

I think the problem is that you are only doing this on the rootfs and
that flag does not automagically propagate to the submounts.  That's
sort of implied by the way the man page for the mount command reads.  It
doesn't mention a slave option on individual file systems but has a
--make-rslave function which recursively makes that mountpoint and all
its submountpoints into slaves.  Tried running mount
--make-slave /dev/pts in the container and didn't get an error but still
didn't fix the problem but I figured that would be too easy and it
needed to be done back in lxc proper.

At that point, I went through src/lxc/conf.c and added MS_SLAVE to every
mount call.  Yes, overly aggressive but just for a shotgun test.  It
ran.  But still failed the test.  If I remount /dev/pts as ro in the
container, I still get it ro in the host.  Then remount rw in the
container and it's back to rw in the host.  Is this a kernel bug or what
am I missing here?

Strange too (and I just noticed this) is that I have two mount instances
of devpts on /dev/pts:

[root@alcove mhw]# mount -t devpts
devpts on /dev/console type devpts (rw,relatime,mode=600,ptmxmode=666)
devpts on /dev/tty1 type devpts (rw,relatime,mode=600,ptmxmode=666)
devpts on /dev/tty2 type devpts (rw,relatime,mode=600,ptmxmode=666)
devpts on /dev/tty3 type devpts (rw,relatime,mode=600,ptmxmode=666)
devpts on /dev/tty4 type devpts (rw,relatime,mode=600,ptmxmode=666)
devpts on /dev/tty5 type devpts (rw,relatime,mode=600,ptmxmode=666)
devpts on /dev/tty6 type devpts (rw,relatime,mode=600,ptmxmode=666)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666)

I don't have any devpts mounts in either the container /etc/fstab, the
fstab lxc is referencing, or in any lxc.mount.entry in the config file.
Why are there two of them there and is that indicative of a problem?

Regards,
Mike

  The kernel should also prohibit, totally, the propagation of remount
 
 The kernel doesn't know about containers, so it's up to userspace :)
 
 -serge
 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is

Re: [Lxc-users] [PATCH] Re: read only rootfs

2011-07-18 Thread Michael H. Warfield 
On Mon, 2011-07-18 at 07:31 -0500, Serge E. Hallyn wrote: 
 Quoting Michael H. Warfield (m...@wittsend.com):
  Unfortunately, I also still find that if there's a -o remount,ro in the
  halt/reboot script, it still sets /dev/pts to ro and that still
  propagates to the host and to the other containers triggering random
 
 Wow.
 
 Did a quick grep;  is there any reason why lxc-start doesn't turn on
 MS_SLAVE for the client's root?  Something like:
 
 From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001
 From: Serge Hallyn serge.hal...@ubuntu.com
 Date: Mon, 18 Jul 2011 07:29:57 -0500
 Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE
 
 Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
 ---
  src/lxc/conf.c |5 +
  1 files changed, 5 insertions(+), 0 deletions(-)
 
 diff --git a/src/lxc/conf.c b/src/lxc/conf.c
 index 2eb598b..d36fe47 100644
 --- a/src/lxc/conf.c
 +++ b/src/lxc/conf.c
 @@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
   return -1;
   }
  
 + if (mount(rootfs-path, rootfs-path, none, MS_SLAVE, 0)) {
 + ERROR(failed to turn child rootfs into slave);
 + return -1;
 + }
 +
   DEBUG(mounted '%s' on '%s', rootfs-path, rootfs-mount);
  
   return 0;
 -- 
 1.7.4.1

  The kernel should also prohibit, totally, the propagation of remount

 The kernel doesn't know about containers, so it's up to userspace :)

Acceptable and that's reasonable.  But, for security and integrity
reasons, it has to be the host / parent user space not the guest / child
user space which can make that decision.  And it has to be the default.
Anything less is a security vulnerability.

 -serge

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is sure of it!


signature.asc
Description: This is a digitally signed message part
--
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users