[systemd-devel] I want to run systemd inside of a locked down base docker container
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 10 21:59:53 CET 2016
On 02/10/2016 01:41 PM, Lennart Poettering wrote:
> On Wed, 10.02.16 10:22, Ranjib Dey (dey.ranjib at gmail.com) wrote:
>
>> Docker(ls -alh)
>>
>> crw------- 1 root root 136, 9 Feb 10 18:20 console
>> lrwxrwxrwx 1 root root 13 Feb 10 18:20 fd -> /proc/self/fd
>> crw-rw-rw- 1 root root 1, 7 Feb 10 18:20 full
>> c--------- 1 root root 10, 229 Feb 10 18:20 fuse
>> lrwxrwxrwx 1 root root 11 Feb 10 18:20 kcore -> /proc/kcore
>> drwxrwxrwt 2 root root 40 Oct 30 08:01 mqueue
>> crw-rw-rw- 1 root root 1, 3 Feb 10 18:20 null
>> lrwxrwxrwx 1 root root 8 Feb 10 18:20 ptmx -> pts/ptmx
>> drwxr-xr-x 2 root root 0 Feb 10 18:20 pts
>> crw-rw-rw- 1 root root 1, 8 Feb 10 18:20 random
>> drwxrwxrwt 2 root root 40 Feb 10 18:20 shm
>> lrwxrwxrwx 1 root root 15 Feb 10 18:20 stderr -> /proc/self/fd/2
>> lrwxrwxrwx 1 root root 15 Feb 10 18:20 stdin -> /proc/self/fd/0
>> lrwxrwxrwx 1 root root 15 Feb 10 18:20 stdout -> /proc/self/fd/1
>> crw-rw-rw- 1 root root 5, 0 Feb 10 18:20 tty
>> crw-rw-rw- 1 root root 1, 9 Feb 10 18:20 urandom
>> crw-rw-rw- 1 root root 1, 5 Feb 10 18:20 zero
> This looks pretty OK actually. With this setup (i.e. where /dev/tty0
> does not exist) it seems entirely unnnecessary to mask the getty
> services or anything, as they contain a condition (as mentioned) that
> skips them if this device node does not exist.
>
>> LXC (ls -alh /dev)
>> crw-rw---- 1 root tty 136, 18 Feb 10 07:15 console
>> lrwxrwxrwx 1 root root 11 Feb 10 07:15 core -> /proc/kcore
>> lrwxrwxrwx 1 root root 13 Feb 10 07:15 fd -> /proc/self/fd
>> crw-rw-rw- 1 nobody nogroup 1, 7 Feb 9 08:32 full
>> srw-rw-rw- 1 root root 0 Feb 10 07:15 log
>> drwxrwxrwt 2 nobody nogroup 40 Feb 10 07:15 mqueue
>> drwxr-xr-x 2 root root 40 Feb 10 07:15 net
>> crw-rw-rw- 1 nobody nogroup 1, 3 Feb 9 08:32 null
>> lrwxrwxrwx 1 root root 13 Feb 10 07:15 ptmx -> /dev/pts/ptmx
>> drwxr-xr-x 2 nobody nogroup 0 Feb 10 07:15 pts
>> lrwxrwxrwx 1 root root 4 Feb 10 07:15 ram -> ram1
>> crw-rw-rw- 1 nobody nogroup 1, 8 Feb 9 08:32 random
>> lrwxrwxrwx 1 root root 8 Feb 10 07:15 shm -> /run/shm
> this looks wrong...
>
>> lrwxrwxrwx 1 root root 4 Feb 10 07:15 stderr -> fd/2
>> lrwxrwxrwx 1 root root 4 Feb 10 07:15 stdin -> fd/0
>> lrwxrwxrwx 1 root root 4 Feb 10 07:15 stdout -> fd/1
>> crw-rw-rw- 1 nobody nogroup 5, 0 Feb 10 18:17 tty
>> crw-rw---- 1 root tty 136, 0 Feb 10 07:15 tty1
>> crw-rw---- 1 root tty 136, 1 Feb 10 07:15 tty2
>> crw-rw---- 1 root tty 136, 2 Feb 10 07:15 tty3
>> crw-rw---- 1 root tty 136, 3 Feb 10 07:15 tty4
> Urks. This looks super wrong. A container has no VC subsystem, and
> these devices really shouldn't exist there. /dev/tty1, /dev/tty2 and
> so on are the interface to the Linux kernel VC subsystem, and nothing else.
>
>> drwxr-xr-x 3 root root 60 Feb 10 07:15 .udev
> Wut? where does this come from? the last time udev used that directory
> was 4 years ago or so...
>
> Lennart
>
Not sure how up2date lxc tools are...
More information about the systemd-devel
mailing list