Hi all,
On 18-12-17 19:27, Mart Kelder wrote:
Hi all,
I try to lxc-execute a container I created myself. I attached the log
messages and the strace file. If I run the command with strace and try
to replay it, it seems to work correctly [1]. What is the next step to
investigate this? Where is my test-session ([1]) different then the
strace file? I use lxc-2.1.1 and lxcfs-2.0.8 (with pam_cgfs).
I tried to debug this further. I wrote a simple C-program (attached) which:
1. creates a new pts by opening /dev/ptmx (not done if called with a
device or pts-number)
2. chown the new pts (or the pts given as argument) with the same method
as lxc-execute.
I also altered lxc-execute such that:
a. sleeps for 60 seconds
b. calls the c-program above instead of lxc_ttys_shift_ids.
I can observe that:
* The C-program is able to chown the pts if:
- it created the pts itself
- it is runned from a different shell (e.g. not from lxc-execute)
while lxc-execute is in the 60 seconds sleep.
* The C-program isn't able to chown the pts if:
- it is runned from lxc-execute
If it fails the error code is -EPERM when writing /proc/$$/uid_map by
newuidmap. During the 60 second timeout, I can inspect the /proc process
tree. I don't see important differences in there which can explain the
permission denied, but I don't know exactly where I am looking for.
Does anyone have any idea what causes this or how I can investigate the
reason for failing further?
Thanks,
Mart
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/capability.h>
#include <sys/stat.h>
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdlib.h>
#include <stdio.h>
#include <sched.h>
#include <unistd.h>
#define OUTER_UID 1002
#define OUTER_GID 1002
int error(char const* error)
{
puts(error);
return -1;
}
int main(int argc, char** argv, char *const *argvp)
{
int ptmx_fd;
int pts_id = 0;
char *device;
int pid;
struct clonedata* clonedata = malloc(sizeof(clonedata));
struct __user_cap_header_struct capset_key;
struct __user_cap_data_struct capset_data;
cap_t caps;
char *newargs[] = { "lxc-usernsexec", "-m", "u:0:100000:1", "-m", "u:1002:1002:1", "-m", "g:0:100000:1", "-m", "g:5:100005:1", "-m", "g:1002:1002:1", "--", "chown", "0:5", NULL, NULL };
device = malloc(sizeof(char)*20);
if(argc <= 1) {
ptmx_fd = open("/dev/ptmx", O_RDWR);
ioctl(ptmx_fd, TIOCGPTN, &pts_id);
snprintf(device, 20, "/dev/pts/%d", pts_id);
} else {
if(strncmp(argv[1], "/dev/pts/", 9) != 0)
snprintf(device, 20, "/dev/pts/%s", argv[1]);
else
snprintf(device, 20, "%s", argv[1]);
}
if(chown(device, -1, OUTER_GID) != 0)
return error("chown failed");
newargs[14] = device;
caps = cap_init();
cap_set_proc(caps);
cap_free(caps);
int ret = execve("/usr/local/bin/lxc-usernsexec", newargs, argvp);
if(ret != 0);
return error("lxc-usernsexec failed");
return ret;
}
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
