[systemd-devel] [PATCH 1/2] Add detect_userns to detect uid/gid shifts

Stéphane Graber stgraber at ubuntu.com
Thu Jan 8 15:55:20 PST 2015


On Fri, Jan 09, 2015 at 12:39:23AM +0100, Lennart Poettering wrote:
> On Thu, 08.01.15 15:33, Stéphane Graber (stgraber at ubuntu.com) wrote:
> 
> > As far as I know there's no obvious way to detect this case (well,
> > short of trying a bunch of restricted syscalls). The only way I'm
> > aware of is by comparing the target of /proc/self/ns/user to that of
> > /proc/<real host pid 1>/ns/user which is doable at the host level
> > but isn't once you are in a container with your own pid namespace
> > (which since we're talking about pid 1 systemd there can probably be
> > assumed).
> 
> Hmm, if this is so unreliable to detect maybe we shouldn't after all.
> 
> Given that git is no longer fatally failing if it cannot write to oom
> adjust I think all is good now?

Yeah, I think we're good for now. I've got systemd running fine in an
unprivileged container here, booting without problems to a shell and
with all the basic services running as expected (and those I was
expecting to fail, failed but didn't block the boot in any way).


I expect we'll run into some more problems when dealing with units that
start with their own view of /dev since mknod in a userns isn't allowed
but I haven't run into one of those yet so it's not very high on my list.

Once that happens, I expect we can solve it either by again just
ignoring the failure or by catching the failure and falling back to
doing a bind-mount of the device in question from the parent /dev (which
works fine in a userns and is what we do today for nested containers
with LXC).

>  
> > > 
> > > [0]: <lwn.net/Articles/539940/>
> > > [1]:
> > > 
> > > [root at tomegun-x240 userns]# ./userns_child_exec -U -M '0 0 4294967295'
> > > -G '0 0 4294967295' bash
> > > [root at tomegun-x240 userns]# mknod null b 1 3
> > > mknod: ‘null’: Operation not permitted
> > > [root at tomegun-x240 userns]# mount -t tmpfs none test/
> > > mount: permission denied
> > > [root at tomegun-x240 userns]# exit
> > > exit
> > > [root at tomegun-x240 userns]# mknod null b 1 3
> > > [root at tomegun-x240 userns]# mount -t tmpfs none test/
> > 
> > -- 
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> 
> 
> 
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> 
> 
> 
> Lennart
> 
> -- 
> Lennart Poettering, Red Hat

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150108/ba90d69b/attachment.sig>


More information about the systemd-devel mailing list