btw I just checked and this behaviour breaks some haproxyctl functions (at least those relying on /proc)
On Tue, May 3, 2016 at 9:05 PM, Umberto Nicoletti < [email protected]> wrote: > On Tue, May 3, 2016 at 6:49 PM, Serge Hallyn <[email protected]> > wrote: > >> Quoting Umberto Nicoletti ([email protected]): >> > Hi all, >> > I am dipping my toes into LXC and I'm liking what I see so far. >> > >> > I have one question about privileges/security inside containers: I have >> > started a container and then accessed it with: >> > >> > lxc exec c1 /bin/bash >> > >> > If I run netstat -anp it will refuse to show me process information for >> > processes that I do not own (even though I appear to be root). >> > >> > For instance an haproxy instance listening on port 3000 appears as the >> > following (haproxy is running as user haproxy): >> > >> > root@c1:~# netstat -anp | grep 3000 >> > (Not all processes could be identified, non-owned process info >> > will not be shown, you would have to be root to see it all.) >> > tcp 0 0 127.0.0.1:3000 0.0.0.0:* >> LISTEN >> > - >> > >> > I am running the latest lxc/lxd on Ubuntu 16.04. >> > >> > From what I have read I understand there is some uid mapping going on >> but I >> > was hoping someone could explain it to me or point me in the right >> > direction. >> >> If I understand your email right, you'll be interested in >> >> man 7 user_namespaces >> >> (also available at >> http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html >> ) >> >> Indeed your container root is privileged with respect to the container's >> resources, but is not root on the host. /proc/self/uid_map will show >> how container uids are mapped. For instances if you have >> >> root@trusty-gui:/# cat /proc/self/uid_map >> 0 100000 65536 >> >> then root (uid 0) in the container is uid 100000 on the host. It >> is privileged with respect to uids mapped into the container, which >> are host uids 100000-165535. The container root is not privileged >> against any task not owned by one of those host uids. >> > > Thanks for taking the time to answer. > > This makes sense, still I don't understand why netstat won't show the pid > and program for sockets owned by container processes like haproxy in my > previous example. > > haproxy has uid 106 in the container which is mapped to uid 100106 on the > host so it should be among those manageable by uid 0 (in the container). > > Umberto > > >> >> -serge >> _______________________________________________ >> lxc-users mailing list >> [email protected] >> http://lists.linuxcontainers.org/listinfo/lxc-users > > >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
