lxc-attach from a different login session fails

Bug #1315052 reported by Serge Hallyn on 2014-05-01
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cgmanager (Ubuntu)
High
Unassigned
Trusty
High
Unassigned
Utopic
High
Unassigned
lxc (Ubuntu)
High
Unassigned
Trusty
High
Unassigned
Utopic
High
Unassigned

Bug Description

===============================================================
Impact: unprivileged users cannot attach to a container from a different login session
Test Case:
 lxc-start -n u1 -d
 ssh localhost lxc-attach -n u1 /bin/true
Regression potential: This implements a new method, so should not regress existing functionalty.
===============================================================

When using the cgroup manager, if an unprivileged user starts a container from one login session, then ssh's back in and tries lxc-attach, that will fail.

The workaround for this is simply to start a container under screen or tmux, then re-attach to that session to lxc-attach.

The proper fix is to use MovePidAbs in lxc-attach to move the current task to the 'full' (relative to proxy) cgroup of the container. This requires a new GetPidCgroupAbs method (which is in cgmanager utopic but not yet in trusty) to find out the proper cgroup to attach to.

Changed in cgmanager (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → High
Changed in cgmanager (Ubuntu Utopic):
importance: Undecided → High
Changed in lxc (Ubuntu Trusty):
importance: Undecided → High
Changed in lxc (Ubuntu Utopic):
importance: Undecided → High
Changed in cgmanager (Ubuntu Utopic):
status: New → Confirmed
Changed in lxc (Ubuntu Trusty):
status: New → Confirmed
Changed in lxc (Ubuntu Utopic):
status: New → Triaged
Changed in cgmanager (Ubuntu Utopic):
status: Confirmed → Fix Released
Changed in cgmanager (Ubuntu Trusty):
status: Fix Committed → Confirmed
description: updated

Hello Serge, or anyone else affected,

Accepted cgmanager into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cgmanager/0.24-0ubuntu6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cgmanager (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: added: verification-needed
Serge Hallyn (serge-hallyn) wrote :

The full fix can't be tested until we get the lxc fix pushed as well, however the test22.sh testcase in the cgmanager-tests package tests the getpidcgroupabs feature which is the cgmanager part of this fix. That test passes.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cgmanager - 0.24-0ubuntu6

---------------
cgmanager (0.24-0ubuntu6) trusty-proposed; urgency=low

  * 0002-exit-on-startup-error: Don't proceed to accept client connections
    if we failed to connect to the server. (LP: #1317693)
  * 0003-proxy-wait-2-seconds-for-server-reply: do not wait indefinately
    for replies from the cgmanager, as it may have crashed. (LP: #1317623)
  * 0004-Implement-getpidcgroupabs.patch: Provide a way for clients to
    query absolute paths which can be used with MovePidAbs (LP: #1315052)
  * 0005-get_controller_path-use-the-is_same_controller-helpe.patch: Fix
    handling of name=systemd so that containers can be properly entered
    into the proper cgroup. (LP: #1315521)
  * 0006-cgm-make-all-also-reference-name-systemd.patch: make cgm all
    also act on the name=systemd container (LP: #1317687)
 -- Serge Hallyn <email address hidden> Thu, 08 May 2014 18:02:50 -0500

Changed in cgmanager (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for cgmanager has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Serge Hallyn (serge-hallyn) wrote :

Fix committed upstream with commit 25c7531cf0bab45e06fb2ebf05ce2f37c5c0f649. marking fix committed

Changed in lxc (Ubuntu Utopic):
status: Triaged → Fix Committed
Changed in lxc (Ubuntu Utopic):
status: Fix Committed → Fix Released

Hello Serge, or anyone else affected,

Accepted lxc into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/1.0.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Stéphane Graber (stgraber) wrote :

Confirmed that this indeed now works.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.0.4-0ubuntu0.1

---------------
lxc (1.0.4-0ubuntu0.1) trusty; urgency=medium

  * New upstream bugfix release. (MRE trackaging bug LP: #1329932)
    - Drop all existing patches (all applied upstream).
    - Fix lxc-attach failing from a different login session. (LP: #1315052)
    - Fix wrong cgroup on login to container. (LP: #1315521)

  * Cherry-pick upstream (stable branch) commits to fix testsuite under adt:
    - tests: Avoid the download template when possible
    - tests: Don't fail when HOME isn't defined
    - tests: apparmor: Always end with a newline

  * Sync packaging with utopic:
    - Depend on either cgmanager or cgroup-lite and recommend cgmanager.
      This should ensure systems get cgmanager by default even if cgroup-lite
      is already installed, yet makes it possible for the user to remove
      cgmanager if they really want to.
    - Remove hardcoded dependency on apparmor, instead generate it from
      rules so that the source package can be backported without changes (the
      right apparmor version will be picked up based on the release number).
    - Do not start lxc-instance in postinst without any instance specified,
      as that is an invalid request.
 -- Stephane Graber <email address hidden> Sat, 14 Jun 2014 20:09:57 -0400

Changed in lxc (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers