Am 28.07.2014 16:37, schrieb Daniel P. Berrange:
> On Mon, Jul 28, 2014 at 04:25:56PM +0200, Richard Weinberger wrote:
>> Hi!
>>
>> Kernel commit 23adbe12 ("fs,userns: Change inode_capable to capable_wrt_inode_uidgid")
>> uncovered a libvirt-lxc issue.
>> Starting with that commit the kernel correctly checks also the gid of an inode.
>>
>> Sadly this change breaks libvirt-lxc in a way such that openpty() will always fail
>> with -EPERM within a container. Therefore ssh and other programs are no longer usable.
>>
>> Libvirt's virLXCControllerSetupDevPTS() has a hardcoded mount
>> string for mounting devpts, namely "newinstance,ptmxmode=0666,mode=0620,gid=5",
>> devpts correctly translates the uid and gid while mounting but libvirt
>> mounts devpts _before_ setting up the uid/gid mappings.
>> Therefore the internal gid for the new devpts instance is still 5 instead the mapped gid
>> and the new check in the kernel will always fail.
>>
>> We have two options to fix that:
>> a) virLXCControllerSetupDevPTS() translates the gid (5) by hand and passes the correct
>> value to devpts. (IMHO hacky)
>
> You mean that instead of passing the value '5', if the guest
> GIDs had been remapped to start at 1000, we would pass in
> '1005' to mount ? I don't think that's hacky - it seems like
> a perfectly sensible fix to do.
Correct.
If you're fine with that I'll happily submit a patch.
Thanks,
//richard
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list