Ubuntu
lxc package

"System error" on chfn / su with lxc-start --share-net

Bug #1501959 reported by Ryan Finnie
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

When running `lxc-start --share net 1` on a trusty host with a trusty container, chfn / su (and presumably other utilities which use PAM) fail.

Test case:

lxc-create -t ubuntu -n test1
cat >/var/lib/lxc/test1/rootfs/config <<EOM
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.rootfs = /var/lib/lxc/test1/rootfs
lxc.mount = /var/lib/lxc/test1/fstab
lxc.utsname = test1
lxc.arch = amd64
EOM
lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root
lxc-start -n test1 -F --share-net 1 -- su -

Output:

# lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root
chfn: PAM: System error
lxc-start: lxc_start.c: main: 342 The container failed to start.
lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.
# lxc-start -n test1 -F --share-net 1 -- su -
su: System error
lxc-start: lxc_start.c: main: 342 The container failed to start.
lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.

Issues in Docker e.g. https://github.com/docker/docker/issues/6345 suggest it's because the AUDIT_WRITE capability is not being set, but it doesn't seem to be the case here as LXC by default is doing subtractive caps:

# lxc-info --name test1 -c lxc.cap.keep -c lxc.cap.drop
lxc.cap.keep =
lxc.cap.drop = sys_module
mac_admin
mac_override
sys_time

This issue also appears to have been found in LP: #1430891, but was worked around rather than addressed.

Running without --share-net doesn't exhibit this problem.

See original description
Ryan Finnie (fo0bar)
description: updated
Revision history for this message
Stéphane Graber (stgraber) wrote :

Any reason you're running those commands as the container PID1 instead of starting the container and using lxc-attach to run the commands inside it?

What you're doing right now is unsupported as neither chfn nor su are init processes, so they will not know how to setup the container or handled other tasks that init is in charge of (signal handling, child re-parenting and reaping, ...).

Changed in lxc (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for lxc (Ubuntu) because there has been no activity for 60 days.]

Changed in lxc (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.