The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2463
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From 6ddb4091643224b5c1d1885ea370f9806226a376 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Thu, 6 Oct 2016 12:13:53 +0200
Subject: [PATCH 1/2] Be more verbose on mkdir failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/nsexec.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lxd/nsexec.go b/lxd/nsexec.go
index cf6d98f..b03e59a 100644
--- a/lxd/nsexec.go
+++ b/lxd/nsexec.go
@@ -69,7 +69,7 @@ int mkdir_p(const char *dir, mode_t mode)
makeme = strndup(orig, dir - orig);
if (*makeme) {
if (mkdir(makeme, mode) && errno != EEXIST) {
- fprintf(stderr, "failed to create directory
'%s'", makeme);
+ fprintf(stderr, "failed to create directory
'%s': %s\n", makeme, strerror(errno));
free(makeme);
return -1;
}
From 6ff0b5f3b73e0431785e2da1cf0913d6e3e5fd8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Thu, 6 Oct 2016 13:06:04 +0200
Subject: [PATCH 2/2] Fix forkmount to work with 4.8 and higher
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A new restriction was placed in the 4.8 kernel that mkdir will return
EOVERFLOW if the resulting uid/gid is outside of the container's map.
This is a problem for us as we only attach to the mount namespace.
So to fix that, we must detect that the kernel supports userns and that
the container is in a userns, then attach.
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/nsexec.go | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/lxd/nsexec.go b/lxd/nsexec.go
index b03e59a..106e720 100644
--- a/lxd/nsexec.go
+++ b/lxd/nsexec.go
@@ -368,9 +368,43 @@ void create(char *src, char *dest) {
void forkmount(char *buf, char *cur, ssize_t size) {
char *src, *dest, *opts;
+ char nspath[PATH_MAX];
+ char userns_source[PATH_MAX];
+ char userns_target[PATH_MAX];
+
ADVANCE_ARG_REQUIRED();
int pid = atoi(cur);
+ sprintf(nspath, "/proc/%d/ns/user", pid);
+ if (access(nspath, F_OK) == 0) {
+ if (readlink("/proc/self/ns/user", userns_source, 18) < 0) {
+ fprintf(stderr, "Failed readlink of source namespace:
%s\n", strerror(errno));
+ _exit(1);
+ }
+
+ if (readlink(nspath, userns_target, PATH_MAX) < 0) {
+ fprintf(stderr, "Failed readlink of target namespace:
%s\n", strerror(errno));
+ _exit(1);
+ }
+
+ if (strncmp(userns_source, userns_target, PATH_MAX) != 0) {
+ if (dosetns(pid, "user") < 0) {
+ fprintf(stderr, "Failed setns to container user
namespace: %s\n", strerror(errno));
+ _exit(1);
+ }
+
+ if (setuid(0) < 0) {
+ fprintf(stderr, "Failed setuid to container
root user: %s\n", strerror(errno));
+ _exit(1);
+ }
+
+ if (setgid(0) < 0) {
+ fprintf(stderr, "Failed setgid to container
root group: %s\n", strerror(errno));
+ _exit(1);
+ }
+ }
+ }
+
if (dosetns(pid, "mnt") < 0) {
fprintf(stderr, "Failed setns to container mount namespace:
%s\n", strerror(errno));
_exit(1);
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
