On Mi, 03.07.19 12:24, Kai Bojens (kb@xxxxxxxxxx) wrote: > Ubuntu 18.04, HWE kernel 4.18.0-25-generic, systemd 237-3ubuntu10.23 > > I have created a nspawn container with a minimal Ubuntu and booted the container > without any problems. There were no problems and I used the default settings. > Now I see some strange permission errors which I can't explain: > > Inside the container: > > root@container:/var/log# ls -alt > total 356 > -rw-r--r-- 1 root root 203203 Jul 3 09:17 dpkg.log > drwxr-xr-x 1 root root 60 Jul 3 09:17 apt > -rw-r--r-- 1 root root 9046 Jul 2 15:04 alternatives.log > -rw------- 1 root root 6784 Jul 2 15:04 tallylog > -rw-r--r-- 1 root root 3392 Jul 2 15:04 faillog > -rw-r----- 1 nobody nogroup 40658 Jul 2 10:14 syslog > -rw-rw-r-- 1 nobody nogroup 16128 Jul 2 10:14 wtmp > -rw-r----- 1 nobody nogroup 6234 Jul 2 10:14 auth.log > -rw-rw-r-- 1 nobody nogroup 30660 Jul 2 10:06 lastlog > -rw-rw---- 1 nobody nogroup 384 Jul 1 14:02 btmp > drwxrwxr-x 1 nobody nogroup 182 Jul 1 14:02 . > drwxr-sr-x+ 1 nobody nogroup 64 Jul 1 14:02 journal > -rw-r--r-- 1 root root 60952 Jul 1 13:59 bootstrap.log > drwxr-xr-x 1 root root 90 Jul 1 13:56 .. > root@container:/var/log# whoami > root > root@container:/var/log# tail syslog > tail: cannot open 'syslog' for reading: Permission denied > > > Outside the container: > > root@container:/var/lib/machines/xy-test/var/log# ls -alt > total 356 > -rw-r--r-- 1 198180864 198180864 203203 Jul 3 09:17 dpkg.log > drwxr-xr-x 1 198180864 198180864 60 Jul 3 09:17 apt > -rw-r--r-- 1 198180864 198180864 9046 Jul 2 15:04 alternatives.log > -rw------- 1 198180864 198180864 6784 Jul 2 15:04 tallylog > -rw-r--r-- 1 198180864 198180864 3392 Jul 2 15:04 faillog > -rw-r----- 1 syslog adm 40658 Jul 2 10:14 syslog > -rw-rw-r-- 1 root utmp 16128 Jul 2 10:14 wtmp > -rw-r----- 1 syslog adm 6234 Jul 2 10:14 auth.log > -rw-rw-r-- 1 root utmp 30660 Jul 2 10:06 lastlog > -rw-rw---- 1 root utmp 384 Jul 1 14:02 btmp > drwxrwxr-x 1 root syslog 182 Jul 1 14:02 . > drwxr-sr-x+ 1 root systemd-journal 64 Jul 1 14:02 journal > -rw-r--r-- 1 198180864 198180864 60952 Jul 1 13:59 bootstrap.log > drwxr-xr-x 1 198180864 198180864 90 Jul 1 13:56 .. > > I have not touched any of these files from outside of the container. Is there > anything obvious I have failed to see? Why would the ownership of these file > change? This is caused by user namespacing, i.e. the -U option of systemd-nspawn (which is default in systemd-nspawn@.service, but not in systemd-nspawn when invoked directly). it means the container runs under its own UID range that is somewhere above the 65536 boundary when looking from the outside of the container, but looks like the normal 0…65536 inside of it. Except that some system files are always owned by the special nobody user, because they are system files. It appears you ran your container once with and once without user namespacing. You can fix that without loss, see documentation: https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#-U Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Problem in understanding container permissions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Problem in understanding container permissions
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Tue, 23 Jul 2019 18:13:39 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <20190703101720.GA26037@mail.kbojens.de>
- References: <20190703101720.GA26037@mail.kbojens.de>
- References:
- Problem in understanding container permissions
- From: Kai Bojens
- Problem in understanding container permissions
- Prev by Date: Re: Portable services hub?
- Next by Date: Re: Verify only single file
- Previous by thread: Problem in understanding container permissions
- Next by thread: Nonstandard port for systemd-resolved DNS forwarded queries
- Index(es):
 |