[systemd-devel] Problem in understanding container permissions
Lennart Poettering
lennart at poettering.net
Tue Jul 23 16:13:39 UTC 2019
On Mi, 03.07.19 12:24, Kai Bojens (kb at kbojens.de) wrote:
> Ubuntu 18.04, HWE kernel 4.18.0-25-generic, systemd 237-3ubuntu10.23
>
> I have created a nspawn container with a minimal Ubuntu and booted the container
> without any problems. There were no problems and I used the default settings.
> Now I see some strange permission errors which I can't explain:
>
> Inside the container:
>
> root at container:/var/log# ls -alt
> total 356
> -rw-r--r-- 1 root root 203203 Jul 3 09:17 dpkg.log
> drwxr-xr-x 1 root root 60 Jul 3 09:17 apt
> -rw-r--r-- 1 root root 9046 Jul 2 15:04 alternatives.log
> -rw------- 1 root root 6784 Jul 2 15:04 tallylog
> -rw-r--r-- 1 root root 3392 Jul 2 15:04 faillog
> -rw-r----- 1 nobody nogroup 40658 Jul 2 10:14 syslog
> -rw-rw-r-- 1 nobody nogroup 16128 Jul 2 10:14 wtmp
> -rw-r----- 1 nobody nogroup 6234 Jul 2 10:14 auth.log
> -rw-rw-r-- 1 nobody nogroup 30660 Jul 2 10:06 lastlog
> -rw-rw---- 1 nobody nogroup 384 Jul 1 14:02 btmp
> drwxrwxr-x 1 nobody nogroup 182 Jul 1 14:02 .
> drwxr-sr-x+ 1 nobody nogroup 64 Jul 1 14:02 journal
> -rw-r--r-- 1 root root 60952 Jul 1 13:59 bootstrap.log
> drwxr-xr-x 1 root root 90 Jul 1 13:56 ..
> root at container:/var/log# whoami
> root
> root at container:/var/log# tail syslog
> tail: cannot open 'syslog' for reading: Permission denied
>
>
> Outside the container:
>
> root at container:/var/lib/machines/xy-test/var/log# ls -alt
> total 356
> -rw-r--r-- 1 198180864 198180864 203203 Jul 3 09:17 dpkg.log
> drwxr-xr-x 1 198180864 198180864 60 Jul 3 09:17 apt
> -rw-r--r-- 1 198180864 198180864 9046 Jul 2 15:04 alternatives.log
> -rw------- 1 198180864 198180864 6784 Jul 2 15:04 tallylog
> -rw-r--r-- 1 198180864 198180864 3392 Jul 2 15:04 faillog
> -rw-r----- 1 syslog adm 40658 Jul 2 10:14 syslog
> -rw-rw-r-- 1 root utmp 16128 Jul 2 10:14 wtmp
> -rw-r----- 1 syslog adm 6234 Jul 2 10:14 auth.log
> -rw-rw-r-- 1 root utmp 30660 Jul 2 10:06 lastlog
> -rw-rw---- 1 root utmp 384 Jul 1 14:02 btmp
> drwxrwxr-x 1 root syslog 182 Jul 1 14:02 .
> drwxr-sr-x+ 1 root systemd-journal 64 Jul 1 14:02 journal
> -rw-r--r-- 1 198180864 198180864 60952 Jul 1 13:59 bootstrap.log
> drwxr-xr-x 1 198180864 198180864 90 Jul 1 13:56 ..
>
> I have not touched any of these files from outside of the container. Is there
> anything obvious I have failed to see? Why would the ownership of these file
> change?
This is caused by user namespacing, i.e. the -U option of
systemd-nspawn (which is default in systemd-nspawn at .service, but not
in systemd-nspawn when invoked directly).
it means the container runs under its own UID range that is somewhere
above the 65536 boundary when looking from the outside of the
container, but looks like the normal 0…65536 inside of it. Except that
some system files are always owned by the special nobody user, because
they are system files.
It appears you ran your container once with and once without user
namespacing. You can fix that without loss, see documentation:
https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#-U
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list