Re: [Lxc-users] Jumping out of a read-only bind mount container
On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote: lxc.cap.drop=sys_admin should prevent all mount(2) calls within the container. It seems to work for me. In fact... I thought LXC *always* removed that capability, even if you never mentioned it? Nice! Is there a list of capabilities LXC drops documented somewhere? Thanks Andre -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
On Mon, 2011-02-07 at 03:58 -0800, Dean Mao wrote: Yeah, would be nice to have this list -- I remember looking all over, but I didn't see lxc.console. Is there a comprehensive list of these abilities? So far, for a container running apache and cron, plus the usual stuff (init, getty, login), I managed to drop these: audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, mknod, net_raw, setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config So far everything seems to be working, but possibly some more will have to be removed from the list. Andre -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote: So far, for a container running apache and cron, plus the usual stuff (init, getty, login), I managed to drop these: audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, mknod, net_raw, setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config So far everything seems to be working, but possibly some more will have to be removed from the list. Ping needs net_raw on Ubuntu. -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] can't start container after shutdown
hello, i have gentoo with 2.6.37-gentoo #1 SMP kernel , and lxc-0.7.3-r1 i successfully installed debian template and used it some time (about 1 month). Today after turning off the container, i can't start it. I get the following messsage # lxc-start -n debian lxc-start: inherited fd 6 on pipe:[2401332881] I could start only with command lxc-start -n debian 6- can you help me to solve my problem ? (sorry for my english ... ) -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] can't start container after shutdown
On 02/07/2011 03:52 PM, Володя К. wrote: 07.02.11, 17:31, Daniel Lezcanodaniel.lezc...@free.fr: On 02/07/2011 03:15 PM, Володя К. wrote: Are you using Midnight Commander ? yes, i have installed Midnight Commander and use it very often I don't remember exactly but there is a thread about this bug. This is not related to lxc. There is a bug in debian where the file descriptors are not closed and you inherit one within the container. The lxc code checks there is no fd leak inside the container for security reasons. What you are describing is very likely a bug in debian. I observed midnight commander leaks a fd for a pipe when an application is launched via it or via its shell. hm... are there the way to solve my problem manually ? or can i close open descriptors manually ? (if it's a debian bug - i think it's impossible to solve it now// it take some time) Yep, FYI: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00962.html and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532319 can you advise me some simple solution Closing the fd is a workaround and that must wor, but maybe it is worth upgrading gdm and check the problem is resolved ? -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] can't start container after shutdown
On 02/07/2011 04:20 PM, Володя К. wrote: can you advise me some simple solution Closing the fd is a workaround and that must wor, but maybe it is worth upgrading gdm and check the problem is resolved ? I don't have gdm installed hmm. An application is leaking a fd somewhere. You can investigate to find it. First in the shell by checking /proc/self/fd and look for a symlink to the pipe. Then get the ppid of your shell and look at /proc/ppid/fd and so on ... until the pipe fd disappear. You will find the culprit. -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] can't start container after shutdown
can you advise me some simple solution Closing the fd is a workaround and that must wor, but maybe it is worth upgrading gdm and check the problem is resolved ? I don't have gdm installed -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
Hi, On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote: In the container, I can use the mount command with the -oremount,rw options and then edit the file from the container. So the bind read-only mounts are no protection against changing the filesystem of the container, but even makes it possible to corrupt the _host_ filesystem ... Is there a way to disable that behavior and forbid the mount options Perhaps there should be a drop.caps possibility to prevent remounting from within the container. 8 -- cut -- Note that, obviously, this means all mounts must be done by lxc.mount.entry or prior to starting LXC. Indeed. This is a problem with the sshd bind readonly containers, because lxc-init mounts /proc, /dev/shm and /dev/mqueue. With lxc.cap.drop=sys_admin it is therefor not possible to use lxc-init. Would this mean that lxc_setup_fs() should be removed from lxc_init.c and the mounting should be done through the config-file? Cheers, Matto signature.asc Description: Digital signature -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
Andre Nathan an...@digirati.com.br writes: On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote: lxc.cap.drop=sys_admin should prevent all mount(2) calls within the container. It seems to work for me. In fact... I thought LXC *always* removed that capability, even if you never mentioned it? Nice! Is there a list of capabilities LXC drops documented somewhere? I don't know. The list of capabilities *in general* is the capabilities(7) manpage. -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
Matto Fransen ma...@matto.nl writes: Hi, On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote: In the container, I can use the mount command with the -oremount,rw options and then edit the file from the container. So the bind read-only mounts are no protection against changing the filesystem of the container, but even makes it possible to corrupt the _host_ filesystem ... Is there a way to disable that behavior and forbid the mount options Perhaps there should be a drop.caps possibility to prevent remounting from within the container. 8 -- cut -- Note that, obviously, this means all mounts must be done by lxc.mount.entry or prior to starting LXC. Indeed. This is a problem with the sshd bind readonly containers, because lxc-init mounts /proc, /dev/shm and /dev/mqueue. With lxc.cap.drop=sys_admin it is therefor not possible to use lxc-init. Would this mean that lxc_setup_fs() should be removed from lxc_init.c and the mounting should be done through the config-file? I'm not sure what you mean there, but I do mounting with lxc.mount (or lxc.mount.entry), i.e. within the lxc .conf file. -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
On Mon, Feb 7, 2011 at 4:53 AM, Andre Nathan an...@digirati.com.br wrote: On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote: So far, for a container running apache and cron, plus the usual stuff (init, getty, login), I managed to drop these: audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, mknod, net_raw, setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config So far everything seems to be working, but possibly some more will have to be removed from the list. Ping needs net_raw on Ubuntu. In mycase, I need to disable some sysctl from container. For eg, sysctl -w kernel.randomize_va_space (for ASLR) Am still able to do the above after dropping SYS_ADMIN. How do I go about figuring capability vs functionality mapping. ~nirmal -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
Hi, On Tue, Feb 08, 2011 at 11:19:20AM +1100, Trent W. Buck wrote: Matto Fransen ma...@matto.nl writes: This is a problem with the sshd bind readonly containers, because lxc-init mounts /proc, /dev/shm and /dev/mqueue. With lxc.cap.drop=sys_admin it is therefor not possible to use lxc-init. Would this mean that lxc_setup_fs() should be removed from lxc_init.c and the mounting should be done through the config-file? I'm not sure what you mean there, but I do mounting with lxc.mount (or lxc.mount.entry), i.e. within the lxc .conf file. When you create a sshd read only container with lxc-create -t sshd -n containername then this container gets a init that is mountend to lxc-init. lxc-init does mount /proc, /dev/shm and /dev/mqueue But with lxc.cap.drop=sys_admin it is not possible to mount, and therefor lxc-init returns an error and the container is stopped. Cheers, Matto -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users