Dariusz Michaluk
2014-Feb-27 14:07 UTC
Re: [libvirt-users] [libvirt] LXC, user namespaces and systemd
On 26.02.2014 17:59, Stephan Sachse wrote:>> # chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer > > you must "shift" the uids for the container 0 -> 666, 1 -> 667, 2 -> > 668. there is a tool for this: uidmapshiftI prepared two containers, the first I used chown, in the second uidmapshift, here is the results. ./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer UIDs 666 - 666 GIDs 1001 - 2000 foo 28919 28917 0 14:42 ? 00:00:00 /sbin/init 747 28950 28919 0 14:42 ? 00:00:00 /bin/dbus-daemon ./uidmapshift -r /var/lib/libvirt/filesystems/test UIDs 888 - 1776 GIDs 1002 - 2001 foo1 29298 29296 0 14:45 ? 00:00:00 /sbin/init 969 29329 29298 0 14:45 ? 00:00:00 /bin/dbus-daemon As you can see root is mapped to foo or foo1 user and dbus user is mapped to 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) + uid=888(foo1)). Mapping looks properly. Why use uidmapshift ?, it still performs chown. Could you explain more?> some tools may not work, because of the missing file capabilities. > chown removes all file capabilities! try ping as user inside the > container. (missing file cap cap_net_admin,cap_net_raw)# getcap /usr/bin/ping # ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms ^C --- localhost ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms Yes you are right, chown removed capabilities, but ping still works properly. -- Dariusz Michaluk Samsung R&D Institute Poland Samsung Electronics d.michaluk@samsung.com
Stephan Sachse
2014-Feb-27 15:32 UTC
Re: [libvirt-users] [libvirt] LXC, user namespaces and systemd
On Thu, Feb 27, 2014 at 3:07 PM, Dariusz Michaluk <d.michaluk@samsung.com> wrote:> On 26.02.2014 17:59, Stephan Sachse wrote: >>> >>> # chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer >> >> you must "shift" the uids for the container 0 -> 666, 1 -> 667, 2 -> >> 668. there is a tool for this: uidmapshift > > I prepared two containers, the first I used chown, in the second > uidmapshift, here is the results. > > ./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer > UIDs 666 - 666 > GIDs 1001 - 2000 > > foo 28919 28917 0 14:42 ? 00:00:00 /sbin/init > 747 28950 28919 0 14:42 ? 00:00:00 /bin/dbus-daemon > > ./uidmapshift -r /var/lib/libvirt/filesystems/test > UIDs 888 - 1776 > GIDs 1002 - 2001 > > foo1 29298 29296 0 14:45 ? 00:00:00 /sbin/init > 969 29329 29298 0 14:45 ? 00:00:00 /bin/dbus-daemon > > As you can see root is mapped to foo or foo1 user and dbus user is mapped to > 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) + uid=888(foo1)). > Mapping looks properly. Why use uidmapshift ?, it still performs chown. > Could you explain more?# ls -ln uidmapshift-test/ -rw-r--r-- 1 0 0 0 27. Feb 15:50 uid0 -rw-r--r-- 1 81 81 0 27. Feb 15:50 uid81 # /root/uidmapshift -b uidmapshift-test/ 0 100000 1000 # ls -ln uidmapshift-test/ -rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid0 -rw-r--r-- 1 100081 100081 0 27. Feb 15:50 uid81 correctly mapped 0 to 100000 with a range of 1000 # chown 100000.100000 uidmapshift-test/ -R # ls -ln uidmapshift-test/ -rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid0 -rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid81 wrong mapping for file uid81 look at the ls -l output from inside the container! btw: /bin/dbus-daemon is root.root on my system (fedora20) # rpm -qlv dbus | grep 'bin/dbus-daemon' -rwxr-xr-x 1 root root 445104 Dez 26 10:26 /bin/dbus-daemon fedora20 inside the container (999=ssh_keys) # ls -ln /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key -rw-r----- 1 0 999 227 18. Feb 12:56 /etc/ssh/ssh_host_ecdsa_key -rw-r----- 1 0 999 1679 18. Feb 12:56 /etc/ssh/ssh_host_rsa_key fedora20 outside the container ls -l etc/ssh/ssh_host_rsa_key etc/ssh/ssh_host_ecdsa_key -rw-r----- 1 100000 999 227 18. Feb 13:56 etc/ssh/ssh_host_ecdsa_key -rw-r----- 1 100000 999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key i have a mapping: 0 to 100000 range 1 if the range is 10000. it must looks like this from the outside ls -l etc/ssh/ssh_host_rsa_key etc/ssh/ssh_host_ecdsa_key -rw-r----- 1 100000 100999 227 18. Feb 13:56 etc/ssh/ssh_host_ecdsa_key -rw-r----- 1 100000 100999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key and as before from the inside>> some tools may not work, because of the missing file capabilities. >> chown removes all file capabilities! try ping as user inside the >> container. (missing file cap cap_net_admin,cap_net_raw) > > # getcap /usr/bin/ping > # ping localhost > PING localhost (127.0.0.1) 56(84) bytes of data. > 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms > 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms > ^C > --- localhost ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 999ms > rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms > > Yes you are right, chown removed capabilities, but ping still works > properly.try it as user and not as root # su -s/bin/bash nobody -c 'ping localhost' ping: icmp open socket: Operation not permitted fix this from outside the container chroot /path/to/rootfs rpm --qf "[%{FILECAPS} %{FILENAMES}\n]" -qa | grep ^= | sed -e 's/^=/setcap/' and paste the output into your terminal /stephan -- Software is like sex, it's better when it's free!
Dariusz Michaluk
2014-Feb-28 09:49 UTC
Re: [libvirt-users] [libvirt] LXC, user namespaces and systemd
On 27.02.2014 16:32, Stephan Sachse wrote:> On Thu, Feb 27, 2014 at 3:07 PM, Dariusz Michaluk > <d.michaluk@samsung.com> wrote: >> On 26.02.2014 17:59, Stephan Sachse wrote: >>>> >>>> # chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer >>> >>> you must "shift" the uids for the container 0 -> 666, 1 -> 667, 2 -> >>> 668. there is a tool for this: uidmapshift >> >> I prepared two containers, the first I used chown, in the second >> uidmapshift, here is the results. >> >> ./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer >> UIDs 666 - 666 >> GIDs 1001 - 2000 >> >> foo 28919 28917 0 14:42 ? 00:00:00 /sbin/init >> 747 28950 28919 0 14:42 ? 00:00:00 /bin/dbus-daemon >> >> ./uidmapshift -r /var/lib/libvirt/filesystems/test >> UIDs 888 - 1776 >> GIDs 1002 - 2001 >> >> foo1 29298 29296 0 14:45 ? 00:00:00 /sbin/init >> 969 29329 29298 0 14:45 ? 00:00:00 /bin/dbus-daemon >> >> As you can see root is mapped to foo or foo1 user and dbus user is mapped to >> 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) + uid=888(foo1)). >> Mapping looks properly. Why use uidmapshift ?, it still performs chown. >> Could you explain more? > > # ls -ln uidmapshift-test/ > -rw-r--r-- 1 0 0 0 27. Feb 15:50 uid0 > -rw-r--r-- 1 81 81 0 27. Feb 15:50 uid81 > > # /root/uidmapshift -b uidmapshift-test/ 0 100000 1000 > # ls -ln uidmapshift-test/ > -rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid0 > -rw-r--r-- 1 100081 100081 0 27. Feb 15:50 uid81 > > correctly mapped 0 to 100000 with a range of 1000 > > # chown 100000.100000 uidmapshift-test/ -R > # ls -ln uidmapshift-test/ > -rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid0 > -rw-r--r-- 1 100000 100000 0 27. Feb 15:50 uid81 > > wrong mapping for file uid81 > > look at the ls -l output from inside the container! btw: > /bin/dbus-daemon is root.root on my system (fedora20) > > # rpm -qlv dbus | grep 'bin/dbus-daemon' > -rwxr-xr-x 1 root root 445104 Dez 26 10:26 > /bin/dbus-daemon > > fedora20 inside the container (999=ssh_keys) > > # ls -ln /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key > -rw-r----- 1 0 999 227 18. Feb 12:56 /etc/ssh/ssh_host_ecdsa_key > -rw-r----- 1 0 999 1679 18. Feb 12:56 /etc/ssh/ssh_host_rsa_key > > fedora20 outside the container > > ls -l etc/ssh/ssh_host_rsa_key etc/ssh/ssh_host_ecdsa_key > -rw-r----- 1 100000 999 227 18. Feb 13:56 etc/ssh/ssh_host_ecdsa_key > -rw-r----- 1 100000 999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key > > i have a mapping: 0 to 100000 range 1 > if the range is 10000. it must looks like this from the outside > > ls -l etc/ssh/ssh_host_rsa_key etc/ssh/ssh_host_ecdsa_key > -rw-r----- 1 100000 100999 227 18. Feb 13:56 etc/ssh/ssh_host_ecdsa_key > -rw-r----- 1 100000 100999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key > > and as before from the inside > >>> some tools may not work, because of the missing file capabilities. >>> chown removes all file capabilities! try ping as user inside the >>> container. (missing file cap cap_net_admin,cap_net_raw) >> >> # getcap /usr/bin/ping >> # ping localhost >> PING localhost (127.0.0.1) 56(84) bytes of data. >> 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms >> 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms >> ^C >> --- localhost ping statistics --- >> 2 packets transmitted, 2 received, 0% packet loss, time 999ms >> rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms >> >> Yes you are right, chown removed capabilities, but ping still works >> properly. > > try it as user and not as root > > # su -s/bin/bash nobody -c 'ping localhost' > ping: icmp open socket: Operation not permitted > > fix this from outside the container > > chroot /path/to/rootfs > > rpm --qf "[%{FILECAPS} %{FILENAMES}\n]" -qa | grep ^= | sed -e 's/^=/setcap/' > > and paste the output into your terminal > > /stephan >Yes you are right, thank you for the clear and simple explanation, now I understand. -- Dariusz Michaluk Samsung R&D Institute Poland Samsung Electronics d.michaluk@samsung.com