Root filesystem (used by LXD) include device nodes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-images |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
It looks like some change in image generation has occurred and results in the rootfs tarballs and/or squashfs now containing device nodes.
So far, we've noticed:
- /dev/console
- /dev/full
- /dev/mapper/control
- /dev/null
- /dev/ptmx
- /dev/random
- /dev/tty
- /dev/urandom
- /dev/zero
This causes issue with LXD, especially in the nested case as unprivileged container cannot (for security reason) create device nodes. The inclusion of those device nodes even in the non-nested case can be problematic as it could grant additional device access to containers above what we normally provide through LXD.
That last point is thankfully mitigated through the devices cgroup that we also configured in LXD, so I'm not filing this as a security issue, but I sure prefer the devices cgroup being there as a safety net rather than as the main security mechanism.
To validate a fix, you can attempt to unsquashfs the rootfs inside of a LXD container.
This should normally succeed with no error and an exit code of 0.
Instead, we're getting:
```
root@nesting:~# unsquashfs -n /var/snap/
Parallel unsquashfs: Using 4 processors
36619 inodes (41808 blocks) to write
create_inode: failed to create character device squashfs-
create_inode: failed to create character device squashfs-
create_inode: failed to create character device squashfs-
create_inode: failed to create character device squashfs-
create_inode: failed to create character device squashfs-
create_inode: failed to create character device squashfs-
create_inode: failed to create character device squashfs-
create_inode: failed to create character device squashfs-
create_inode: failed to create character device squashfs-
created 31866 files
created 3728 directories
created 4632 symlinks
created 0 devices
created 0 fifos
created 0 sockets
root@nesting:~# echo $?
2
```
This was reported to us at https:/ /github. com/lxc/ lxd/issues/ 10492