Discussion:
access /proc of nspwan container
(too old to reply)
arnaud gaboury
2017-09-20 11:13:38 UTC
Permalink
Raw Message
For some reasons (custom kernel with user namespace activated) my
container filesystem owners and permissions has lots of errors. In
short, some files/folders belong to nobody/nobody when in fact they
should be owned by root:root.
I can manage to partially fix things from the host where I can chown
vu-poppy-0:vg-poppy-0 (poppy is obviously container name) the
files/folders. I can use too the fuidshift command . I say partially as
the owner group will always stay nobody.

But i have a problem when it comes to upgrade (container is Fedora, host
Arch) some packages, filesystem being one of them. To upgrade, the
system needs access to /proc/filesystems which is unfortunately owned by
nobody:nobody and can't be changed from host.  And the proc folder is
empty for the host, so I can't chwon from host.

How can I access (if I can) container /proc from host?

In general, to solve this annoying owner issue in container
(nobody:nobody), I was thinking making root part of the nobody group. I
know this is a hack, but is there any troubles down the road in doing this?

Thank you for help or hints.
Lennart Poettering
2017-09-20 11:30:44 UTC
Permalink
Raw Message
Post by arnaud gaboury
For some reasons (custom kernel with user namespace activated) my
container filesystem owners and permissions has lots of errors. In
short, some files/folders belong to nobody/nobody when in fact they
should be owned by root:root.
This is the result of user namespacing, and reflects the fact that
these files in /proc are owned by the host's root, which is not
available in the container, and ensure that the container doesn't get
access to files in /proc that are unsafe to access from untrusted
containers. if you invoke nspawn without --private-users= on the
command line you can turn this off, but in that case the user tables
between the host and the container are shared and thus things are a
lot less secure.
Post by arnaud gaboury
But i have a problem when it comes to upgrade (container is Fedora, host
Arch) some packages, filesystem being one of them. To upgrade, the
system needs access to /proc/filesystems which is unfortunately owned by
nobody:nobody and can't be changed from host.  And the proc folder is
empty for the host, so I can't chwon from host.
Hmm, read access should genreally be available to
/proc/filesystems. Are you saying that the container can't even read
that file?
Post by arnaud gaboury
How can I access (if I can) container /proc from host?
In general, to solve this annoying owner issue in container
(nobody:nobody), I was thinking making root part of the nobody group. I
know this is a hack, but is there any troubles down the road in doing this?
Let's just say that the user namespacing logic on Linux isn't really
ready for the prime-time yet... (neither in the Linux kernel and in nspawn).

Lennart
--
Lennart Poettering, Red Hat
Loading...