On Mon, Jul 28, 2014 at 04:25:56PM +0200, Richard Weinberger wrote:
> Hi!
>
> Kernel commit 23adbe12 ("fs,userns: Change inode_capable to capable_wrt_inode_uidgid")
> uncovered a libvirt-lxc issue.
> Starting with that commit the kernel correctly checks also the gid of an inode.
>
> Sadly this change breaks libvirt-lxc in a way such that openpty() will always fail
> with -EPERM within a container. Therefore ssh and other programs are no longer usable.
>
> Libvirt's virLXCControllerSetupDevPTS() has a hardcoded mount
> string for mounting devpts, namely "newinstance,ptmxmode=0666,mode=0620,gid=5",
> devpts correctly translates the uid and gid while mounting but libvirt
> mounts devpts _before_ setting up the uid/gid mappings.
> Therefore the internal gid for the new devpts instance is still 5 instead the mapped gid
> and the new check in the kernel will always fail.
>
> We have two options to fix that:
> a) virLXCControllerSetupDevPTS() translates the gid (5) by hand and passes the correct
> value to devpts. (IMHO hacky)
You mean that instead of passing the value '5', if the guest
GIDs had been remapped to start at 1000, we would pass in
'1005' to mount ? I don't think that's hacky - it seems like
a perfectly sensible fix to do.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list