Re: [lxc-devel] Strange problem (stray mounts) with lxc-create...

Fri, 01 Nov 2013 10:22:46 -0700 

Quoting Michael H. Warfield (m...@wittsend.com):
> 14 15 0:13 / /proc/sys/fs/binfmt_misc rw,relatime shared:20 - autofs 
> systemd-1 rw,fd=32,pgrp=1,timeout=300,minproto=5,maxproto=5,direct

D'oh.  D'oh.  D'oh.

I've been going over detect_shared_rootfs() again and again, confirming
that it should catch this line and return 1.  But your problem is during
lxc-create!  Stupid Serge!

Perhaps the clean solution here is to always do a mount --make-rslave /
before running the template.  Something like this:

>From 0edc092d852761a95d3fea8a4746a2c68fa91d84 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hal...@ubuntu.com>
Date: Fri, 1 Nov 2013 12:17:52 -0500
Subject: [PATCH 1/1] always remount / rslave before running creation template
 (if root)

If we're not root, our mounts in private userns won't get pushed
back anyway.  If we are root, we need to make sure that anything
the template does gets cleaned up.

Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
---
 src/lxc/lxccontainer.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 8b81a63..946133d 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -24,6 +24,7 @@
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <sys/mount.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
@@ -833,11 +834,23 @@ static bool create_run_template(struct lxc_container *c, 
char *tpath, bool quiet
                        exit(1);
                }
 
-               if (strcmp(bdev->type, "dir") != 0) {
+               if (geteuid() == 0) {
                        if (unshare(CLONE_NEWNS) < 0) {
                                ERROR("error unsharing mounts");
                                exit(1);
                        }
+                       if (detect_shared_rootfs()) {
+                               if (mount("", "", NULL, MS_SLAVE|MS_REC, 0)) {
+                                       SYSERROR("Failed to make / rslave to 
run template");
+                                       ERROR("Continuing...");
+                               }
+                       }
+               }
+               if (strcmp(bdev->type, "dir") != 0) {
+                       if (geteuid() != 0) {
+                               ERROR("non-root users can only create 
directory-backed containers");
+                               exit(1);
+                       }
                        if (bdev->ops->mount(bdev) < 0) {
                                ERROR("Error mounting rootfs");
                                exit(1);
-- 
1.8.3.2


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to