When I added an ext4 lxc.mount.entry to a working Ubuntu 10.04
container, lxc-start stopped working. Please help me understand why.
A partial strace is below, and a copy of proud.conf.
At first I thought that lxc-start wasn't allowed to mount it because
SYS_ADMIN was dropped -- but if that's so, why is it allowed to mount
-obind? I checked, and -obind is NOT allowed inside the container (when
booting it without the ext4 lxc.mount.entry).
r...@omega:~# lxc-start -n proud -f /etc/lxc/proud.conf
lxc-start: Operation not permitted - failed to mount '/dev/omega/squid' on
'/srv/lxc/proud/var/spool/squid'
lxc-start: failed to setup the mount entries for 'proud'
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'proud'
r...@omega:~# strace -femount,capget,capset lxc-start -n proud -f
/etc/lxc/proud.conf
capget(0x20080522, 0, NULL) = -1 EFAULT (Bad address)
capget(0x20080522, 0,
{CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
0}) = 0
capset(0x20080522, 0, {0,
CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
0}) = 0
capget(0x20080522, 0, NULL) = -1 EFAULT (Bad address)
capget(0x20080522, 0, {0,
CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
0}) = 0
capset(0x20080522, 0,
{CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
0}) = 0
Process 29115 attached
[pid 29115] mount("none", "/srv/lxc/proud/dev/shm", "tmpfs",
MS_NOSUID|MS_NODEV, NULL) = 0
[pid 29115] mount("none", "/srv/lxc/proud/lib/init/rw", "tmpfs", MS_NOSUID,
"mode=0755,size=8m") = 0
[pid 29115] mount("none", "/srv/lxc/proud/proc", "proc",
MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
[pid 29115] mount("none", "/srv/lxc/proud/tmp", "tmpfs", 0, NULL) = 0
[pid 29115] mount("none", "/srv/lxc/proud/var/lock", "tmpfs",
MS_NOSUID|MS_NODEV|MS_NOEXEC, "size=8m") = 0
[pid 29115] mount("/srv/mirror", "/srv/lxc/proud/srv/mirror", 0x22036f6,
MS_RDONLY|MS_BIND, NULL) = 0
[pid 29115] mount("/srv/mirror", "/srv/lxc/proud/srv/mirror", 0x22036f6,
MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
[pid 29115] mount("/home", "/srv/lxc/proud/home", 0x22036f6, MS_BIND, NULL) = 0
[pid 29115] mount("/home", "/srv/lxc/proud/home", 0x22036f6,
MS_REMOUNT|MS_BIND, NULL) = 0
[pid 29115] mount("/dev/omega/squid", "/srv/lxc/proud/var/spool/squid", "ext4",
0, NULL) = -1 EPERM (Operation not permitted)
lxc-start: Operation not permitted - failed to mount '/dev/omega/squid' on
'/srv/lxc/proud/var/spool/squid'
lxc-start: failed to setup the mount entries for 'proud'
lxc-start: failed to setup the container
Process 29115 detached
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'proud'
r...@omega:~#
# Created 2010-12-15 19:35:16.736972336+11:00
# Created 2010-12-15 17:34:27.218509994+11:00 (template)
lxc.utsname = proud
lxc.console = /var/log/lxc/proud.console
lxc.rootfs = /srv/lxc/proud
lxc.tty = 4
lxc.pts = 1024
lxc.network.type = veth
lxc.network.link = br-managed
lxc.network.name = managed
lxc.network.flags = up
lxc.cgroup.memory.limit_in_bytes = 256M
lxc.cgroup.memory.memsw.limit_in_bytes = 1G
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 4:* rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 254:0 rm
# Prevent container from using mount(8), esp. remounting its root filesystem
-oro.
# This necessitates mounting *at least* /proc outside.
lxc.cap.drop = sys_admin
lxc.mount.entry = none /srv/lxc/proud/dev/shm tmpfs nosuid,nodev
lxc.mount.entry = none /srv/lxc/proud/lib/init/rw tmpfs
mode=0755,nosuid,size=8m
lxc.mount.entry = none /srv/lxc/proud/proc proc nodev,noexec,nosuid
#lxc.mount.entry = none /srv/lxc/proud/proc/sys/fs/binfmt_misc binfmt_misc
nodev,noexec,nosuid
#lxc.mount.entry = none /srv/lxc/proud/sys sysfs nodev,noexec,nosuid
#lxc.mount.entry = none /srv/lxc/proud/sys/fs/fuse/connections fusectl defaults
#lxc.mount.entry = none /srv/lxc/proud/sys/kernel/debug debugfs defaults
#lxc.mount.entry = none /srv/lxc/proud/sys/kernel/security securityfs defaults
lxc.mount.entry = none /srv/lxc/proud/tmp tmpfs defaults
lxc.mount.entry = none /srv/lxc/proud/var/lock tmpfs
nodev,noexec,nosuid,size=8m
# This mount would break lxc-start's halt/reboot autodetection (in lxc 0.7.x).
#lxc.mount.entry = none /srv/lxc/proud/var/run tmpfs mode=0755,nosuid,size=8m
# Data mountpoints
lxc.mount.entry = /srv/mirror /srv/lxc/proud/srv/mirror none bind,ro
lxc.mount.entry = /home /srv/lxc/proud/home none bind
lxc.mount.entry = /dev/omega/squid /srv/lxc/proud/var/spool/squid ext4 defaults
# Disabled because their absence causes problems:
#chown net_admin setgid # getty or login
#net_bind_service net_raw net_broadcast # dhclient
#setuid # rsyslog
#sys_chroot # openssh-server
#fowner dac_override dac_read_search # lots of things (like root_squash)
#kill # needed by default to stop
rsyslogd/slapd
# Disabled because I *think* they're harmless:
#fsetid ipc_lock ipc_owner lease sys_nice sys_ptrace
lxc.cap.drop = audit_control audit_write linux_immutable mac_admin
lxc.cap.drop = mac_override mknod setfcap setpcap sys_admin sys_boot
lxc.cap.drop = sys_module sys_pacct sys_rawio sys_resource sys_time
lxc.cap.drop = sys_tty_config
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
