On Fri, Nov 01, 2013 at 12:19:11PM -0500, Serge Hallyn wrote: > Quoting Michael H. Warfield (m...@wittsend.com): > > 14 15 0:13 / /proc/sys/fs/binfmt_misc rw,relatime shared:20 - autofs > > systemd-1 rw,fd=32,pgrp=1,timeout=300,minproto=5,maxproto=5,direct > > D'oh. D'oh. D'oh. > > I've been going over detect_shared_rootfs() again and again, confirming > that it should catch this line and return 1. But your problem is during > lxc-create! Stupid Serge! > > Perhaps the clean solution here is to always do a mount --make-rslave / > before running the template. Something like this: > > >From 0edc092d852761a95d3fea8a4746a2c68fa91d84 Mon Sep 17 00:00:00 2001 > From: Serge Hallyn <serge.hal...@ubuntu.com> > Date: Fri, 1 Nov 2013 12:17:52 -0500 > Subject: [PATCH 1/1] always remount / rslave before running creation template > (if root) > > If we're not root, our mounts in private userns won't get pushed > back anyway. If we are root, we need to make sure that anything > the template does gets cleaned up. > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
Acked-by: Stéphane Graber <stgra...@ubuntu.com>
> ---
> src/lxc/lxccontainer.c | 15 ++++++++++++++-
> 1 file changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 8b81a63..946133d 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -24,6 +24,7 @@
> #include <unistd.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> +#include <sys/mount.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <sched.h>
> @@ -833,11 +834,23 @@ static bool create_run_template(struct lxc_container
> *c, char *tpath, bool quiet
> exit(1);
> }
>
> - if (strcmp(bdev->type, "dir") != 0) {
> + if (geteuid() == 0) {
> if (unshare(CLONE_NEWNS) < 0) {
> ERROR("error unsharing mounts");
> exit(1);
> }
> + if (detect_shared_rootfs()) {
> + if (mount("", "", NULL, MS_SLAVE|MS_REC, 0)) {
> + SYSERROR("Failed to make / rslave to
> run template");
> + ERROR("Continuing...");
> + }
> + }
> + }
> + if (strcmp(bdev->type, "dir") != 0) {
> + if (geteuid() != 0) {
> + ERROR("non-root users can only create
> directory-backed containers");
> + exit(1);
> + }
> if (bdev->ops->mount(bdev) < 0) {
> ERROR("Error mounting rootfs");
> exit(1);
> --
> 1.8.3.2
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
