Sorry, I had forgotten my own workaround for this.
** Changed in: linux (Ubuntu)
Status: Confirmed => Won't Fix
** Changed in: lxc (Ubuntu)
Status: Triaged => Fix Released
** Changed in: linux (Ubuntu)
Status: Won't Fix => Invalid
--
You received this bug notification
Ok, this is happening because lxc, for privileged containers, bind-
mounts /proc/sys and /proc/sys/net onto themselves. This prevents later
unprivileged mounting of /proc.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
Sorry, testcase in #8 is invalid, bc lxc-usernsexec doesn't create a new
pid namespace, so mount is denied because we do not own our
pidns->userns.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
Current wily kernel is giving me the same behavior.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1543367
Title:
nested unprileged container fails to start at mounting /proc
To
Simplest way to reproduce:
sudo systemctl stop proc-sys-fs-binfmt_misc.automount # (just to be sure)
unshare -mpf
mount --make-rslave /
mount -t proc proc /proc
lxc-usernsexec
# mount -t proc proc /proc # permission denied, regardless what -o options may
pass.
--
You received this bug
Upstream kernel still fails:
lxc-start 20160304193125.498 ERRORlxc_conf -
conf.c:lxc_mount_auto_mounts:742 - Operation not permitted - error mounting
proc on /usr/lib/x86_64-linux-gnu/lxc/proc flags 14
lxc-start: conf.c: lxc_mount_auto_mounts: 742 Operation not permitted - error
Did this issue start happening after an update/upgrade? Was there a
prior kernel version where you were not having this particular problem?
Would it be possible for you to test the latest upstream kernel? Refer
to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest
v4.5
It's not something I regularly do, as I normally nest inside unprivileged
lxd containers. So I can't say whether it is a regression. I did revert
to an older trusty kernel and have the same behavior.
I'm going to need to write a script to make this more easily reproducible,
but I won't have
I'm quite certain this is not an apparmor issue, since leaving
everything unconfined does not help.
It could be something we're doing wrong in lxc, but I'm not sure what.
It could be something inherent in mounting onto an open fd.
--
You received this bug notification because you are a member
Note that an unprivileged user on the host is able to do these mounts.
Unprivileged users inside a privileged container cannot.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1543367
10 matches
Mail list logo