lxc container can power-off host machine
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: lxc
Bug related information:
# lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
# apt-cache policy lxc
lxc:
Installed: 0.7.2-1~10.04~csz1
Candidate: 0.7.2-1~10.04~csz1
Version table:
*** 0.7.2-1~10.04~csz1 0
500 http://
100 /var/lib/
0.6.5-1 0
500 http://
(NEVERMIND if I am using a PPA version: it's the same version you're using in Maverick and I don't think this is causing the issue that I am facing now).
I created a system image by using the tool "lxc-create" and by using the included templates (I even created images myself without this tool, and nothing changes with this issue)
The tool makes all the necessary steps to create the image (debootstrap and so on) and, at the end of the process, it creates a config file suitable for that image.
One of the last rows of the config file is:
lxc.mount.
same identical problem happens if I comment out this row and I mount /proc myself from /etc/fstab inside the container
The problem arises when I issue the command:
echo b > /proc/sysrq-trigger
In this case the host machine will power-off, and not the container.
It's possible to check what I said, without harming your server, just by running a sync command on the container:
echo s > /proc/sysrq-trigger
and than checking /var/log/messages on the host server. You'll see that the command is intercepted from the host and not from the container.
Right now, I have no idea how to circumvent this issue, and if this problem persist, I feel the security of LXC is heavily compromised.
Related branches
visibility: | private → public |
summary: |
- lxc container can power-off the host machine + lxc container can power-off host machine |
description: | updated |
description: | updated |
Changed in lxc (Ubuntu): | |
status: | Confirmed → Triaged |
The problem is that there is no good /proc isolation yet. :(