[systemd-devel] Unable to run systemd in an LXC / cgroup container.

[Lennart Poettering]

On Tue, 06.11.12 11:07, Michael H. Warfield (mhw at WittsEnd.com) wrote:

> Here's where we've seen some problems in the past.  It's not just mounts
> that are propagated but remounts as well.  The problem arose that some
> of us had our containers on a separate partition.  When we would shut a
> container down, that container tried to remount its file systems ro
> which then propagated back into the host causing the hosts file system
> to be ro (doesn't happen if you are running on the host's root fs for
> the containers) and from there across into the other containers.
> 
> Are you using MS_SHARED or MS_SLAVE for this?  If you are using
> MS_SHARED do you create a potential security problem where actions in
> the container can bleed into the state of the host and into other
> containers.  That's highly undesirable.

The root namespace is MS_SHARED, and nspawn and libvirt-lxc containers
are MS_SLAVE. That ensures mounts from the host propagate to the
containers but not vice versa.

> > > > as
> > > > soon as it tries to use pivot_root(), as that is incompatible with
> > > > shared mount propagation. The needs fixing in LXC: it should use
> > > > MS_MOVE
> > > > or MS_BIND to place the new root dir in / instead. A short term
> 
> > Actually not quite sure how this would work.  It should be possible
> > to set up a set of conditions to work around this, but the kernel
> > checks at do_pivotroot are pretty harsh - mnt->mnt_parent of both
> > the new root and current root have to be not shared.  So perhaps
> > we actually first chroot into a dir whose parent is non-shared,
> > then pivot_root from there?  :)
> > 
> > (Simple chroot in place of pivot_root still does not suffice, not
> > only because of chroot escapes, but also different results in
> > /proc/pid/mountinfo and friends)
> 
> Comments on Serge's points?

Don't use privot_root. Instead use MS_MOVE to move the container root to
/. 

> At this point, we see where this will become problematical in Fedora 18
> but appears to already be problematical in NixOS that another user is
> running and which containers systemd 195 in the host.

THere's nothing really problematical with this. LXC should stop using
pivot_root, and use MS_MOVE instead.

> We've had problems with chroot in the past due to chroot escapes and
> other problems years ago as Serge mentioned.

chroot() is not useful for this. You should invoke chroot() once, to
fix chroot after adjusting the namespace, but that's not the call that
actually shifts the namespace around. That should be done with MS_MOVE.

The code should like this:

http://cgit.freedesktop.org/systemd/systemd/tree/src/nspawn/nspawn.c#n1264

Lennart

-- 
Lennart Poettering - Red Hat, Inc.