[systemd-devel] I want to run systemd inside of a locked down base docker container

Daniel J Walsh dwalsh at redhat.com
Wed Feb 10 21:59:53 CET 2016 


On 02/10/2016 01:41 PM, Lennart Poettering wrote:
> On Wed, 10.02.16 10:22, Ranjib Dey (dey.ranjib at gmail.com) wrote:
>
>> Docker(ls -alh)
>>
>> crw-------  1 root root 136,   9 Feb 10 18:20 console
>> lrwxrwxrwx  1 root root       13 Feb 10 18:20 fd -> /proc/self/fd
>> crw-rw-rw-  1 root root   1,   7 Feb 10 18:20 full
>> c---------  1 root root  10, 229 Feb 10 18:20 fuse
>> lrwxrwxrwx  1 root root       11 Feb 10 18:20 kcore -> /proc/kcore
>> drwxrwxrwt  2 root root       40 Oct 30 08:01 mqueue
>> crw-rw-rw-  1 root root   1,   3 Feb 10 18:20 null
>> lrwxrwxrwx  1 root root        8 Feb 10 18:20 ptmx -> pts/ptmx
>> drwxr-xr-x  2 root root        0 Feb 10 18:20 pts
>> crw-rw-rw-  1 root root   1,   8 Feb 10 18:20 random
>> drwxrwxrwt  2 root root       40 Feb 10 18:20 shm
>> lrwxrwxrwx  1 root root       15 Feb 10 18:20 stderr -> /proc/self/fd/2
>> lrwxrwxrwx  1 root root       15 Feb 10 18:20 stdin -> /proc/self/fd/0
>> lrwxrwxrwx  1 root root       15 Feb 10 18:20 stdout -> /proc/self/fd/1
>> crw-rw-rw-  1 root root   5,   0 Feb 10 18:20 tty
>> crw-rw-rw-  1 root root   1,   9 Feb 10 18:20 urandom
>> crw-rw-rw-  1 root root   1,   5 Feb 10 18:20 zero
> This looks pretty OK actually. With this setup (i.e. where /dev/tty0
> does not exist) it seems entirely unnnecessary to mask the getty
> services or anything, as they contain a  condition (as mentioned) that
> skips them if this device node does not exist.
>
>> LXC (ls -alh /dev)
>> crw-rw----  1 root   tty     136, 18 Feb 10 07:15 console
>> lrwxrwxrwx  1 root   root         11 Feb 10 07:15 core -> /proc/kcore
>> lrwxrwxrwx  1 root   root         13 Feb 10 07:15 fd -> /proc/self/fd
>> crw-rw-rw-  1 nobody nogroup   1,  7 Feb  9 08:32 full
>> srw-rw-rw-  1 root   root          0 Feb 10 07:15 log
>> drwxrwxrwt  2 nobody nogroup      40 Feb 10 07:15 mqueue
>> drwxr-xr-x  2 root   root         40 Feb 10 07:15 net
>> crw-rw-rw-  1 nobody nogroup   1,  3 Feb  9 08:32 null
>> lrwxrwxrwx  1 root   root         13 Feb 10 07:15 ptmx -> /dev/pts/ptmx
>> drwxr-xr-x  2 nobody nogroup       0 Feb 10 07:15 pts
>> lrwxrwxrwx  1 root   root          4 Feb 10 07:15 ram -> ram1
>> crw-rw-rw-  1 nobody nogroup   1,  8 Feb  9 08:32 random
>> lrwxrwxrwx  1 root   root          8 Feb 10 07:15 shm -> /run/shm
> this looks wrong...
>
>> lrwxrwxrwx  1 root   root          4 Feb 10 07:15 stderr -> fd/2
>> lrwxrwxrwx  1 root   root          4 Feb 10 07:15 stdin -> fd/0
>> lrwxrwxrwx  1 root   root          4 Feb 10 07:15 stdout -> fd/1
>> crw-rw-rw-  1 nobody nogroup   5,  0 Feb 10 18:17 tty
>> crw-rw----  1 root   tty     136,  0 Feb 10 07:15 tty1
>> crw-rw----  1 root   tty     136,  1 Feb 10 07:15 tty2
>> crw-rw----  1 root   tty     136,  2 Feb 10 07:15 tty3
>> crw-rw----  1 root   tty     136,  3 Feb 10 07:15 tty4
> Urks. This looks super wrong. A container has no VC subsystem, and
> these devices really shouldn't exist there. /dev/tty1, /dev/tty2 and
> so on are the interface to the Linux kernel VC subsystem, and nothing else.
>
>> drwxr-xr-x  3 root   root         60 Feb 10 07:15 .udev
> Wut? where does this come from? the last time udev used that directory
> was 4 years ago or so...
>
> Lennart
>
Not sure how up2date lxc tools are...

More information about the systemd-devel mailing list