Adithya K <linux.challen...@gmail.com> wrote: > > > I am usig busybox template to create container on ubuntu. I am > > > creating container as non privilage. Attached is the config created. > > > I am mapping var/run/duns/socket from host to container. Basically I > > > am using host dbus.
> > > What I see is when I try to run and dbus program, > > > dbus_bus_get(DBUS_BUS_SYSTEM, &err); call fails. Basically I am not > > > able to get dbus bus connection. > > > When I create container using privilage mode, then this issue doesn't > > > exist. > > > Any solution for this issue. This will not work (as you have discovered!) This is why ... The dbus-daemon examines the credentials on the UNIX domain socket, in order to find out the peer's PID and UID. If the peer is in a different PID and/or UID namespace, the kernel will have remapped the credentials into the dbus-daemon's namespace. The client, however, will still try to authenticate by passing its UID in the SASL setup for the connection by sending "AUTH EXTERNAL <UID>", where <UID> is a hex version of the stringification of the effective UID of the client in *its* namespace. e.g. the UID 789 would be encoded as 373839! Thus when the dbus-daemon receives this UID and compares it to the credentials it found on the socket, it finds the UIDs don't match and thus it refuses to permit the connection. For my project, I can afford to disable the SASL part of the connection protocol in the client - it would be possible to fix this in the daemon, but for various reasons I can't do that in my project. The obvious problem of patching the client rather than the server is that you end up having to patch all the different client DBus libraries. I attach an example patch for dbox-1.10.6 that *disables* the sending of the client UID in the setup message. If that's acceptable for your situation, you're welcome to use it. There's a second patch for GDBus too. -- Stewart Brodie Senior Software Engineer Espial UK
dbus-external-auth-rely-on-scm-creds.patch
Description: Binary data
gdbus-auth.patch
Description: Binary data
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
