[systemd-devel] [Q] About supporting nested systemd daemon

Lennart Poettering lennart at poettering.net
Sun May 3 18:51:24 PDT 2015

On Thu, 30.04.15 15:42, Alban Crequy (alban at endocode.com) wrote:

> > systemd-nspawn nowadays mounts all hierarchies into the container, but
> > mounts all controller hierarchies read-only, and of the name=systemd
> > hierarchy mounts everything read-only, except the subtree the
> > container is allowed to manage. That way only the cgroup tree the
> > container needs access to is writable to it. That solution however
> > does not hide the cgroup tree. A process running inside the container
> > can still go an explore the tree and its attributes. However, all
> > other groups will appear empty to it, since processes not in the
> > container PID namespaces will be suppressed when reading the member
> > process list.
> To sum up what systemd-nspawn is currently mounting in the container:
> - /sys/fs/cgroup/systemd/  -->  mounted RO
> - /sys/fs/cgroup/systemd/machine.slice/machine-xxx.scope/  --> mounted RW
> - /sys/fs/cgroup/cpu,cpuacct/  -->  mounted RO
> - etc. for other cgroup hierarchies  -->  mounted RO


> In order to let systemd in the container restrict cpu, memory, etc. on
> some of its services (see manpage systemd.resource-control(5)), rkt
> would like systemd-nspawn to mount a subtree of some hierarchy
> (cpu,cpuacct, memory) in read-write mode.

That's really not a safe thing to do right now... the kernel isn't
ready for this, as cgroups access is an all-or-nothing thing
currently: if you have access to a cgroup and cane creat child cgroups
in it you have access to *all* attributes you like, the dangerous ones
as well as the not so dangerous ones.

> Is there any issues with changing the systemd-nspawn mounts in the
> following way:
> - /sys/fs/cgroup/systemd/  -->  mounted RO
> - /sys/fs/cgroup/systemd/machine.slice/machine-xxx.scope/  --> mounted RW
> - /sys/fs/cgroup/cpu,cpuacct/  -->  mounted RO
> - /sys/fs/cgroup/cpu,cpuacct/machine.slice/machine-xxx.scope/  --> mounted RW
> - etc. for other cgroup hierarchies.
> Iago wrote two experimental patches on systemd-nspawn to try that and
> it worked. Delegate=yes was enabled in systemd-nspawn in order to test
> this:
> https://github.com/endocode/systemd/commits/iaguis/delegate
> But I would like to know what is missing to make this safe (or if it
> is already safe to do).

Well, nspawn does actually not make any guarantees about security
currently. Since we pass CAP_SYS_ADMIN by default to the contaienrs
people can mount whatever they want and remount things freely from
within. Hence, opening this up would not make things much worse.

That said, I am a bit concerned about opening this up by default. Even
though containers are insecure we should try to be safe wherever we
can if it doesn't affect usability too much. 

Adding a new cmdline switch for all of this sounds not too attractive
though, but maybe a --delegate switch would be OK, which would open up
all controllers to the containers.... It would have a similar effect
then on the containers as Delegate=yes has for service processes...


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list