nested unprileged container fails to start at mounting /proc

Bug #1543367 reported by Serge Hallyn
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
High
Unassigned
lxc (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Create a trusty or xenial host. Probably use ubuntu-lxc/daily ppa to work around other bugs.

Create a privileged container (again either trusty or xenial will do), and install ubuntu-lxc/daily ppa there.

Create an unprivileged container in that container. It will fail at mounting proc using safe_mount. At this point it is mounting proc onto /proc/self/fd/14 flags 14.

      lxc-start 20160208234209.189 ERROR lxc_utils - utils.c:safe_mount:1695 - Operation not permitted - Failed to mount proc onto /usr/lib/x86_64-linux-gnu/lxc/proc

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I'm quite certain this is not an apparmor issue, since leaving everything unconfined does not help.

It could be something we're doing wrong in lxc, but I'm not sure what.

It could be something inherent in mounting onto an open fd.

affects: lxcfs (Ubuntu) → lxc (Ubuntu)
Changed in lxc (Ubuntu):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1543367

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Note that an unprivileged user on the host is able to do these mounts.

Unprivileged users inside a privileged container cannot.

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Did this issue start happening after an update/upgrade? Was there a prior kernel version where you were not having this particular problem?

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.5 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5-rc3-wily/

Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: kernel-da-key
Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1543367] Re: nested unprileged container fails to start at mounting /proc

It's not something I regularly do, as I normally nest inside unprivileged
lxd containers. So I can't say whether it is a regression. I did revert
to an older trusty kernel and have the same behavior.

I'm going to need to write a script to make this more easily reproducible,
but I won't have time for that today.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Upstream kernel still fails:

      lxc-start 20160304193125.498 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:742 - Operation not permitted - error mounting proc on /usr/lib/x86_64-linux-gnu/lxc/proc flags 14
lxc-start: conf.c: lxc_mount_auto_mounts: 742 Operation not permitted - error mounting proc on /usr/lib/x86_64-linux-gnu/lxc/proc flags 14

Linux x1 4.5.0-999-generic #201603032101 SMP Fri Mar 4 02:03:35 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
tags: added: kernel-bug-exists-upstream
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Current wily kernel is giving me the same behavior.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Simplest way to reproduce:

sudo systemctl stop proc-sys-fs-binfmt_misc.automount # (just to be sure)
unshare -mpf
mount --make-rslave /
mount -t proc proc /proc
lxc-usernsexec
# mount -t proc proc /proc # permission denied, regardless what -o options may pass.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Sorry, testcase in #8 is invalid, bc lxc-usernsexec doesn't create a new pid namespace, so mount is denied because we do not own our pidns->userns.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Ok, this is happening because lxc, for privileged containers, bind-mounts /proc/sys and /proc/sys/net onto themselves. This prevents later unprivileged mounting of /proc.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Sorry, I had forgotten my own workaround for this.

Changed in linux (Ubuntu):
status: Confirmed → Won't Fix
Changed in lxc (Ubuntu):
status: Triaged → Fix Released
Changed in linux (Ubuntu):
status: Won't Fix → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.