Re: [lxc-devel] Request for update Jenkins script for plamo images

[TAMUKI Shoichi]

Hello Stephane,

From: TAMUKI Shoichi tam...@linet.gr.jp
Subject: Re: [lxc-devel] Request for update Jenkins script for plamo images
Date: Thu, 28 Aug 2014 16:46:45 +0900

 Perhaps, we should do similar workaround for producing another
 distribution (centos, debian, fedora, gentoo, opensuse, and oracle)
 images on the Jenkins server.  I will also investigate them if I have
 enough time.

I investigated the other distribution images to see if the workarounds
are necessary or not.

[centos]

$ tar tvpJf rootfs.tar.xz | grep -v root/root
-rw-rw-r-- root/voice0 2014-08-28 11:35:12 ./var/run/utmp
-rw-rw-r-- root/voice0 2014-08-28 11:35:12 ./var/log/wtmp
-rw--- root/voice0 2014-08-28 11:35:12 ./var/log/btmp

* The gid for voice on ubuntu is 22.
* The group name for gid=22 on centos is utmp.
* The group name utmp already exists on ubuntu (gid=43.)

Since all user/group names in rootfs exist on ubuntu, the useradd/
groupadd workaround is unnecessary.  However, extracting packages to
rootfs in the template script needs to be fixed.

[debian]

There seems to be no need for the workaround.

[fedora]

$ tar tvpJf rootfs.tar.xz | grep -v root/root
drwxrwxr-x root/man  0 2013-08-07 18:10:08 ./var/spool/mail/
-rw-rw-r-- root/voice0 2014-08-28 10:53:28 ./var/log/wtmp
-rw--- root/voice0 2014-08-28 10:53:28 ./var/log/btmp
drwxr-sr-x root/190  0 2014-07-24 22:37:15 ./var/log/journal/
drwxr-xr-x root/35   0 2014-08-28 10:53:24 ./usr/libexec/utempter/
-rwx--s--x root/voice11200 2013-08-03 17:06:03 
./usr/libexec/utempter/utempter
---x--s--x root/999 287864 2014-07-18 15:54:07 
./usr/libexec/openssh/ssh-keysign
-rwsr-x--- root/81  322432 2014-07-03 07:36:31 
./usr/lib64/dbus-1/dbus-daemon-launch-helper
-rwxr-sr-x root/tty  19544 2014-04-25 18:19:17 ./usr/bin/write
---x--s--x root/99  145296 2014-07-18 15:54:07 ./usr/bin/ssh-agent
-rw-rw-r-- root/voice0 2014-08-28 10:53:28 ./run/utmp
drwxrwxr-x root/54   0 2014-08-28 10:53:27 ./run/lock/lockdev/

* The gid for man on ubuntu is 12.
* The group name for gid=12 on fedora is mail.
* The group name mail already exists on ubuntu (gid=8.)

* The gid for voice on ubuntu is 22.
* The group name for gid=22 on fedora is utmp.
* The group name utmp already exists on ubuntu (gid=43.)

* The group name for gid=190 on fedora is systemd-journal.
* The group name for gid=35 on fedora is utempter.
* The group name for gid=999 on fedora is ssh_keys.
* The group name for gid=81 on fedora is dbus.
* The gid for tty on ubuntu and fedora is 5 (same gid.)
* The group name for gid=99 on fedora is nobody.
* The group name for gid=54 on fedora is lock.

The useradd/groupadd workaround is as follows.  Also, extracting
packages to rootfs in the template script needs to be fixed.

 == Executing: for i in utempter lock dbus nobody systemd-journal ssh_keys ; 
do groupadd $i ; done in /

[gentoo]

$ tar tvpJf rootfs.tar.xz | grep -v  0/0  | grep -v  250/250 
(snip)

* The user/group name for uid/gid=250 on gentoo is portage.
* The user name for uid=6 on ubuntu is man.
* The group name for gid=6 on ubuntu is disk.
* The group name for gid=5 on ubuntu is tty.
* The group name for gid=15 on ubuntu is kmem.

It seems that extracting packages to rootfs in the template script
works fine.  However, the --numeric-owner trick in the Jenkins script
needs to be removed because the rootfs.tar.xz is currently for ubuntu
only from the viewpoint of ownership.

[opensuse]

There seems to be no need for the workaround.

[oracle]

$ tar tvpJf rootfs.tar.xz | grep -v root/root
drwx-- 500/500   0 2014-08-28 20:43:28 ./home/oracle/
-rw-r--r-- 500/500  18 2013-07-18 23:33:26 ./home/oracle/.bash_logout
-rw-r--r-- 500/500 176 2013-07-18 23:33:26 ./home/oracle/.bash_profile
-rw-r--r-- 500/500 124 2013-07-18 23:33:26 ./home/oracle/.bashrc
-rw-rw 500/man   0 2014-08-28 20:43:28 ./var/spool/mail/oracle
-rw-rw-r-- root/voice0 2014-08-28 20:43:26 ./var/run/utmp
-rw--- root/voice0 2014-08-28 20:43:26 ./var/log/btmp
-rw-rw-r-- root/voice0 2014-08-28 20:43:26 ./var/log/wtmp

* The user/group name for uid/gid=500 on oracle is oracle.

* The gid for man on ubuntu is 12.
* The group name for gid=12 on fedora is mail.
* The group name mail already exists on ubuntu (gid=8.)

* The gid for voice on ubuntu is 22.
* The group name for gid=22 on fedora is utmp.
* The group name utmp already exists on ubuntu (gid=43.)

Since all user/group names in rootfs exist on ubuntu except oracle,
the useradd/groupadd workaround is unnecessary.  However, extracting
packages to rootfs in the template script needs to be fixed.

[plamo]

The useradd/groupadd workaround is as follows.  Also the --numeric-
owner trick in the Jenkins script needs to be removed because the
rootfs.tar.xz is currently for ubuntu only from the viewpoint of
ownership (with only a few defective ownership.)

 == 

Re: [lxc-devel] [PATCH V1] Use pivot_root and umount2 instead of chroot

[Michael H. Warfield]

On Mon, 2014-09-01 at 03:24 +, Steven Stewart-Gallus wrote:
 chrooting leaves the old mount information in /proc/mounts and gives
 me anxiety. Explicitly switch root directories and unmount the old
 root directory.

 Signed-off-by: Steven Stewart-Gallus sstewartgallu...@mylangara.bc.ca

(/me checks watch and checks calendar)...  Here there be dragons.

We have gone back and forth on this for years.  There were SERIOUS
reasons for the decisions that were made (maybe right, maybe wrong and
which maybe changed now).  Not just the pollution of the mount table
(which is a seriouos PITA) but the issues of security and mount (mount
remount) security in containers and the interaction with other
containers.  This subject cause no ends of problems of ro/rw remount
issues across templates.

Has this been tested against the security and operational cases we have
faced and evaluated in the past?  I'd like to hear from Stephane and
Serge on this but I'm extremely leary of this lacking a security
evaluation of this change.  This is at the heart of a security issue for
the whole project.

IF things have changed and IF this can be done securely and IF this can
be done where one container does NOT contaminate the state of another, I
am comfortable with it.  With out that assurance, I am not.

This needs some serious evaluation, IMNSO.

Regards,
Mike

 ---
 
 Hello! In my own little sandbox program I use pivot_root and umount2
 instead of chroot.  It seems a lot more fool proof to me and also
 removes the old mount information from /proc/mounts.  I noticed that
 LXC didn't use this technique so I wanted to share it with LXC.
 Unfortunately, LXC's build system was mysteriously failing at building
 the documentation so I couldn't test this patch.  In any case, I
 wanted to discuss the general approach anyways mostly.
 
 Thank you,
 Steven Stewart-Gallus
 
 diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
 index ee8f491..38e33f4 100644
 --- a/src/lxc/lxccontainer.c
 +++ b/src/lxc/lxccontainer.c
 @@ -3397,10 +3397,17 @@ static bool do_add_remove_node(pid_t init_pid, const
 char *path, bool add,
   if (ret  0 || ret = MAXPATHLEN)
   return false;
  
 - if (chroot(chrootpath)  0)
 + if (chdir(chrootpath)  0)
   exit(1);
 - if (chdir(/)  0)
 +
 + if (syscall(__NR_pivot_root, ., .)  0) {
 + exit(1);
 + }
 +
 + if (umount2(., MNT_DETACH)  0) {
   exit(1);
 + }
 +
   /* remove path if it exists */
   if(faccessat(AT_FDCWD, path, F_OK, AT_SYMLINK_NOFOLLOW) == 0) {
   if (unlink(path)  0) {
 
 ___
 lxc-devel mailing list
 lxc-devel@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-devel
 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is sure of it!



signature.asc
Description: This is a digitally signed message part
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel