[systemd-devel] nspawn: devpts not mounted with PrivateUsers

Olaf the Lost Viking olaf.the.lost.viking at gmail.com
Wed Apr 19 10:03:41 UTC 2017


Hi!


On the bug tracker guideline page it said that the systemd-devel-list
is also meant for support, so I hope it's okay to ask here this beginnger's
question:


== Environment:
  - systemd-232     (systemd-232-22_amd64)
  - Debian Stretch  (minbase + systemd + systemd-container + ...)


== Goal:
  - Run each nspawn-container with a dedicated user id.


== Unexpected behaviour:
Setting up and running nspawn based containers without any PrivateUsers-
setting works. The containers run using a random user-id. (Here I seem to 
misunderstand the manual as it says "false" is the default setting and 
therefore no mapping at all should happen.)

But as soon as I add a PrivateUsers=true or PrivateUsers=ID setting into the 
corresponding .nspawn-file, systemd fails while mounting devpts in the 
container.

Since I like the idea of having a dedicated user for each container (and 
therefore seeing his uid in ps & co on the host), I did the following:

== On the host:
$ groupadd -g3777036288 MY_GROUP
$ echo MY_GROUP:3777036288:65536 >> /etc/subgid
$ useradd -d/var/lib/machines/MY_CONTAINER -M -g3777036288 -u3777036288 MY_USER
$ echo MY_USER:3777036288:65536 >> /etc/subguid
$ chown MY_USER:MY_GROUP /var/lib/machines/MY_CONTAINER
$ echo -e "[Exec]\nPrivateUsers=true\n" > /etc/systemd/nspawn/MY_CONTAINER.nspawn
-OR-
$ echo -e "[Exec]\nPrivateUsers=3777036288\n" > /etc/systemd/nspawn/MY_CONTAINER.nspawn
$ machinectl start MY_CONTAINER

(The strangely looking ID represents the container in the upper 16 bits so 
that nspawn can use the lower 16 bits for the local uids. And not putting 
anything in /etc/sub?id doesn't change anything. But putting the IDs there is 
the correct way, right?)

Journalctl shows the following:

== On the host:
  systemd[1]: Starting Container MY_CONTAINER...
  systemd-nspawn[6345]: Selected user namespace base 3777036288 and range 65536.
  systemd-nspawn[6345]: Failed to mount n/a on /var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_BIND ""): No such file or directory
  systemd-nspawn[6345]: Failed to mount n/a on /var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): Invalid argument
  systemd-nspawn[6345]: Failed to mount devpts on /var/lib/machines/MY_CONTAINER/dev/pts (MS_NOSUID|MS_NOEXEC "newinstance,ptmxmode=0666,mode=620,gid=3777036293"): Invalid argument
  systemd[1]: systemd-nspawn at MY_CONTAINER.service: Main process exited, code=exited, status=1/FAILURE
  systemd[1]: Failed to start Container MY_CONTAINER.
  systemd[1]: systemd-nspawn at MY_CONTAINER.service: Unit entered failed state.
  systemd[1]: systemd-nspawn at MY_CONTAINER.service: Failed with result 'exit-code'.

The first two failed mounts (selinux) happen always - it's a minbase 
installation after all - including successful starts of containers (when not 
using PrivateUsers settings). But the second one seems to lead to the failed 
start. Systemd creates the gid 3777036293 for the pts mount, which is +5 from 
my given uid. And 5 is the group tty (which should be the owner of pts).

== On the host:
$ grep pts /proc/mounts 
  devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

== On a successfully started container (no PrivateUsers setting, random uid):
$ grep pts /proc/mounts 
  devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=32702469,mode=620,ptmxmode=666 0 0
  devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0


I hope all needed information is included in this mail!

Thanks



PS: I wonder if this could be connected to https://github.com/systemd/systemd/issues/337 ?


More information about the systemd-devel mailing list