The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2463
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From 6ddb4091643224b5c1d1885ea370f9806226a376 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Thu, 6 Oct 2016 12:13:53 +0200 Subject: [PATCH 1/2] Be more verbose on mkdir failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/nsexec.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxd/nsexec.go b/lxd/nsexec.go index cf6d98f..b03e59a 100644 --- a/lxd/nsexec.go +++ b/lxd/nsexec.go @@ -69,7 +69,7 @@ int mkdir_p(const char *dir, mode_t mode) makeme = strndup(orig, dir - orig); if (*makeme) { if (mkdir(makeme, mode) && errno != EEXIST) { - fprintf(stderr, "failed to create directory '%s'", makeme); + fprintf(stderr, "failed to create directory '%s': %s\n", makeme, strerror(errno)); free(makeme); return -1; } From 6ff0b5f3b73e0431785e2da1cf0913d6e3e5fd8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Thu, 6 Oct 2016 13:06:04 +0200 Subject: [PATCH 2/2] Fix forkmount to work with 4.8 and higher MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A new restriction was placed in the 4.8 kernel that mkdir will return EOVERFLOW if the resulting uid/gid is outside of the container's map. This is a problem for us as we only attach to the mount namespace. So to fix that, we must detect that the kernel supports userns and that the container is in a userns, then attach. Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/nsexec.go | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/lxd/nsexec.go b/lxd/nsexec.go index b03e59a..106e720 100644 --- a/lxd/nsexec.go +++ b/lxd/nsexec.go @@ -368,9 +368,43 @@ void create(char *src, char *dest) { void forkmount(char *buf, char *cur, ssize_t size) { char *src, *dest, *opts; + char nspath[PATH_MAX]; + char userns_source[PATH_MAX]; + char userns_target[PATH_MAX]; + ADVANCE_ARG_REQUIRED(); int pid = atoi(cur); + sprintf(nspath, "/proc/%d/ns/user", pid); + if (access(nspath, F_OK) == 0) { + if (readlink("/proc/self/ns/user", userns_source, 18) < 0) { + fprintf(stderr, "Failed readlink of source namespace: %s\n", strerror(errno)); + _exit(1); + } + + if (readlink(nspath, userns_target, PATH_MAX) < 0) { + fprintf(stderr, "Failed readlink of target namespace: %s\n", strerror(errno)); + _exit(1); + } + + if (strncmp(userns_source, userns_target, PATH_MAX) != 0) { + if (dosetns(pid, "user") < 0) { + fprintf(stderr, "Failed setns to container user namespace: %s\n", strerror(errno)); + _exit(1); + } + + if (setuid(0) < 0) { + fprintf(stderr, "Failed setuid to container root user: %s\n", strerror(errno)); + _exit(1); + } + + if (setgid(0) < 0) { + fprintf(stderr, "Failed setgid to container root group: %s\n", strerror(errno)); + _exit(1); + } + } + } + if (dosetns(pid, "mnt") < 0) { fprintf(stderr, "Failed setns to container mount namespace: %s\n", strerror(errno)); _exit(1);
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel