[systemd-devel] nspawn: devpts not mounted with PrivateUsers
Olaf the Lost Viking
olaf.the.lost.viking at gmail.com
Wed Apr 19 10:03:41 UTC 2017
Hi!
On the bug tracker guideline page it said that the systemd-devel-list
is also meant for support, so I hope it's okay to ask here this beginnger's
question:
== Environment:
- systemd-232 (systemd-232-22_amd64)
- Debian Stretch (minbase + systemd + systemd-container + ...)
== Goal:
- Run each nspawn-container with a dedicated user id.
== Unexpected behaviour:
Setting up and running nspawn based containers without any PrivateUsers-
setting works. The containers run using a random user-id. (Here I seem to
misunderstand the manual as it says "false" is the default setting and
therefore no mapping at all should happen.)
But as soon as I add a PrivateUsers=true or PrivateUsers=ID setting into the
corresponding .nspawn-file, systemd fails while mounting devpts in the
container.
Since I like the idea of having a dedicated user for each container (and
therefore seeing his uid in ps & co on the host), I did the following:
== On the host:
$ groupadd -g3777036288 MY_GROUP
$ echo MY_GROUP:3777036288:65536 >> /etc/subgid
$ useradd -d/var/lib/machines/MY_CONTAINER -M -g3777036288 -u3777036288 MY_USER
$ echo MY_USER:3777036288:65536 >> /etc/subguid
$ chown MY_USER:MY_GROUP /var/lib/machines/MY_CONTAINER
$ echo -e "[Exec]\nPrivateUsers=true\n" > /etc/systemd/nspawn/MY_CONTAINER.nspawn
-OR-
$ echo -e "[Exec]\nPrivateUsers=3777036288\n" > /etc/systemd/nspawn/MY_CONTAINER.nspawn
$ machinectl start MY_CONTAINER
(The strangely looking ID represents the container in the upper 16 bits so
that nspawn can use the lower 16 bits for the local uids. And not putting
anything in /etc/sub?id doesn't change anything. But putting the IDs there is
the correct way, right?)
Journalctl shows the following:
== On the host:
systemd[1]: Starting Container MY_CONTAINER...
systemd-nspawn[6345]: Selected user namespace base 3777036288 and range 65536.
systemd-nspawn[6345]: Failed to mount n/a on /var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_BIND ""): No such file or directory
systemd-nspawn[6345]: Failed to mount n/a on /var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): Invalid argument
systemd-nspawn[6345]: Failed to mount devpts on /var/lib/machines/MY_CONTAINER/dev/pts (MS_NOSUID|MS_NOEXEC "newinstance,ptmxmode=0666,mode=620,gid=3777036293"): Invalid argument
systemd[1]: systemd-nspawn at MY_CONTAINER.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: Failed to start Container MY_CONTAINER.
systemd[1]: systemd-nspawn at MY_CONTAINER.service: Unit entered failed state.
systemd[1]: systemd-nspawn at MY_CONTAINER.service: Failed with result 'exit-code'.
The first two failed mounts (selinux) happen always - it's a minbase
installation after all - including successful starts of containers (when not
using PrivateUsers settings). But the second one seems to lead to the failed
start. Systemd creates the gid 3777036293 for the pts mount, which is +5 from
my given uid. And 5 is the group tty (which should be the owner of pts).
== On the host:
$ grep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
== On a successfully started container (no PrivateUsers setting, random uid):
$ grep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=32702469,mode=620,ptmxmode=666 0 0
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
I hope all needed information is included in this mail!
Thanks
PS: I wonder if this could be connected to https://github.com/systemd/systemd/issues/337 ?
More information about the systemd-devel
mailing list