[systemd-devel] systemd-nspawn: starting multiple shells

Lennart Poettering lennart at poettering.net
Mon Jul 2 10:54:58 UTC 2018


On Fr, 29.06.18 21:24, Nikolaus Rath (Nikolaus at rath.org) wrote:

> >> The 'nsenter' approach seems to work so far, but I don't see a generally
> >> applicable way to figure out the right PID. Is there a trick for
> >> that?
> >
> > machinectl show --value $MACHINE -p Leader
> 
> Still not quite working, now there seems to be a problem with
> /proc/self/fd in the new shell:
> 
> $ sudo systemd-nspawn -M $MACHINE \
>      --private-users=1379532800:65536 --private-network \
>      --as-pid2
> 
> # Other terminal
> 
> $ pid=$(machinectl show --value $MACHINE -p Leader 2> /dev/null)
> $ sudo nsenter -t ${pid} --mount --uts --ipc --net --pid --cgroup --user
> [root at iofabric /]# echo $UID
> 0
> [root at iofabric /]# echo 1 > /dev/stderr 
> -bash: /dev/stderr: Permission denied
> [root at iofabric /]# ll /dev/stderr
> lrwxrwxrwx 1 root root 15 Jun 29 21:13 /dev/stderr -> /proc/self/fd/2
> [root at iofabric /]# ll /proc/self/fd/2
> lrwx------ 1 root root 64 Jun 29 21:22 /proc/self/fd/2 -> /dev/pts/0
> [root at iofabric /]# ll /dev/pts/
> total 0
> crw-rw-rw- 1 root root 5, 2 Jun 29 21:13 ptmx
> [root at iofabric /]# 
> 
> 
> What's happening here?

the stdin/stdout/stderr fds of the nsenter process reference pipes
that belong to the host side, and the kernel doesn't allow them to be
reopened if user namespacing is used, for security reasons.

"systemd-run -M $MACHINE -t /bin/sh" should generally be the better
choice than "nsenter", as it will instantiate a shell originating
inside the container and will allocate a pty for it that it will proxy
to the caller's TTYs. This means you get much safer and correct
behaviour as the container will only run container code and the host
only host code, and the connection between them is limited to the pty
transport between them. Since the pty is allocated in the container
/dev/stderr and friends should work fine.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list