lxc-attach from a different login session fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cgmanager (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Utopic |
Fix Released
|
High
|
Unassigned | ||
lxc (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Utopic |
Fix Released
|
High
|
Unassigned |
Bug Description
=======
Impact: unprivileged users cannot attach to a container from a different login session
Test Case:
lxc-start -n u1 -d
ssh localhost lxc-attach -n u1 /bin/true
Regression potential: This implements a new method, so should not regress existing functionalty.
=======
When using the cgroup manager, if an unprivileged user starts a container from one login session, then ssh's back in and tries lxc-attach, that will fail.
The workaround for this is simply to start a container under screen or tmux, then re-attach to that session to lxc-attach.
The proper fix is to use MovePidAbs in lxc-attach to move the current task to the 'full' (relative to proxy) cgroup of the container. This requires a new GetPidCgroupAbs method (which is in cgmanager utopic but not yet in trusty) to find out the proper cgroup to attach to.
Related branches
Changed in cgmanager (Ubuntu Trusty): | |
status: | New → Fix Committed |
importance: | Undecided → High |
Changed in cgmanager (Ubuntu Utopic): | |
importance: | Undecided → High |
Changed in lxc (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in lxc (Ubuntu Utopic): | |
importance: | Undecided → High |
Changed in cgmanager (Ubuntu Utopic): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Utopic): | |
status: | New → Triaged |
Changed in cgmanager (Ubuntu Utopic): | |
status: | Confirmed → Fix Released |
Changed in cgmanager (Ubuntu Trusty): | |
status: | Fix Committed → Confirmed |
description: | updated |
Changed in lxc (Ubuntu Utopic): | |
status: | Fix Committed → Fix Released |
Hello Serge, or anyone else affected,
Accepted cgmanager into trusty-proposed. The package will build now and be available at http:// launchpad. net/ubuntu/ +source/ cgmanager/ 0.24-0ubuntu6 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed. In either case, details of your testing will help us make a better decision.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance!