permission denied in "/var/lib/lxcfs/cgroup/[memory-blkio-devices]" when querying /var with command such as : find,du,ls, ...

Bug #1656309 reported by Eric Desrochers on 2017-01-13
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lxcfs (Ubuntu)
Medium
Unassigned
Nominated for Xenial by Eric Desrochers
Nominated for Zesty by Eric Desrochers

Bug Description

[Impact]

 * Getting a permission denied when querying "/var" using commands such as : find, du, ls, .... complaining about permission denied in "/var/lib/lxcfs/cgroup/[memory-blkio-devices]"

[Test Case]

 * On a Xenial/Zesty machine with lxcfs installed (<=2.0.5-0ubuntu1~ubuntu16.04.1)

# find /var -name "foo"
..
find: ‘/var/lib/lxcfs/cgroup/devices/user.slice/user-0.slice/devices.allow’: Permission denied
find: ‘/var/lib/lxcfs/cgroup/devices/user.slice/user-0.slice/devices.deny’: Permission denied
find: ‘/var/lib/lxcfs/cgroup/devices/user.slice/user-0.slice/user@0.service/devices.allow’: Permission denied
...

# du -hs /var
..
du: cannot access '/var/lib/lxcfs/cgroup/devices/user.slice/user-0.slice/user@0.service/devices.deny': Permission denied
du: cannot access '/var/lib/lxcfs/cgroup/devices/user.slice/user-0.slice/session-27.scope/devices.allow': Permission denied
36G /var
..

# ls -altr /var/lib/lxcfs/cgroup/devices/
ls: cannot access '/var/lib/lxcfs/cgroup/devices/devices.allow': Permission denied
ls: cannot access '/var/lib/lxcfs/cgroup/devices/devices.deny': Permission denied
total 0
?????????? ? ? ? ? ? devices.deny
?????????? ? ? ? ? ? devices.allow

[Regression Potential]

 * None expected, change is trivial and already in lxcfs GitHub upstream src code
[https://github.com/lxc/lxcfs]

[Other Info]

 * Commit ID : 4117b6c bindings: allow getattr on O_WRONLY files
 * Commit URL : https://github.com/lxc/lxcfs/commit/4117b6ca6091d811581e236f5fc2d62d12c11c4e

After having apply the upstream commit[1]:

# du -hs /var
36G /var

# find /var -name "foo"

# ls -altr /var/lib/lxcfs/cgroup/devices/
total 0
drwxr-xr-x 2 root root 0 Jan 13 08:28 ..
drwxr-xr-x 2 root root 0 Jan 13 08:28 .
-rw-r--r-- 1 root root 0 Jan 13 08:28 tasks
-rw-r--r-- 1 root root 0 Jan 13 08:28 cgroup.procs
--w------- 1 root root 0 Jan 13 08:28 devices.allow
-rw-r--r-- 1 root root 0 Jan 13 08:28 release_agent
-rw-r--r-- 1 root root 0 Jan 13 08:28 cgroup.clone_children
-r--r--r-- 1 root root 0 Jan 13 08:28 cgroup.sane_behavior
-rw-r--r-- 1 root root 0 Jan 13 08:28 notify_on_release
--w------- 1 root root 0 Jan 13 08:28 devices.deny
-r--r--r-- 1 root root 0 Jan 13 08:28 devices.list
drwxr-xr-x 2 root root 0 Jan 13 08:28 machine
drwxr-xr-x 2 root root 0 Jan 13 08:28 init.scope
drwxr-xr-x 2 root root 0 Jan 13 08:28 system.slice
drwxr-xr-x 2 root root 0 Jan 13 08:28 user.slice

[1] - 4117b6c bindings: allow getattr on O_WRONLY files

Changed in lxcfs (Ubuntu):
importance: Undecided → Medium
summary: - permission denied in /var/lib/lxcfs/....when querying with find,du,ls,
- ...
+ permission denied in "/var/lib/lxcfs/cgroup/[memory-blkio-devices" when
+ querying /var with command such as : find,du,ls, ...
Eric Desrochers (slashd) on 2017-01-13
summary: - permission denied in "/var/lib/lxcfs/cgroup/[memory-blkio-devices" when
+ permission denied in "/var/lib/lxcfs/cgroup/[memory-blkio-devices]" when
querying /var with command such as : find,du,ls, ...
Eric Desrochers (slashd) wrote :

Disregard this bug after more testing "2.0.5-0ubuntu1~ubuntu16.04.1" doesn't exhibit the problem.
Was confused switching from one Xenial to another with different lxcfs version.

Changed in lxcfs (Ubuntu):
status: New → Fix Released
Eric Desrochers (slashd) wrote :

Bug was fix in lxcfs (2.0.4-0ubuntu1~ubuntu16.04.1)

debian/changelog :

lxcfs (2.0.4-0ubuntu1~ubuntu16.04.1) xenial; urgency=medium
...
- bindings: enable access to /var/lib/lxcfs/cgroup
...

I apparently still get this bug in lxcfs `2.0.8-0ubuntu1~16.04.2`. This user also gets this bug in a version where it is alleged to have been fixed: https://github.com/bit-team/backintime/issues/782

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.