On 2021-06-11 21:55:59 +0200, Pierre-Elliott Bécue wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package lxc > > LXC 4.0.6-1 suffers from many issues that, in my opinion require an > update before the release of Bullseye to make our users more comfortable > using it. > > 1. Running unprivileged containers until LXC4 was as simple as running > the same LXC commands as a non-root user or as root but with > containers config mapping subuids/subgids. Since systemd migrated to > pure CGroupv2 hierarchy, there is a need for either a systemd > service, or a call to systemd-run as a user. This makes the whole > less simple to use and understand for a user. > > I included two scripts to wrap these systemd-run calls and make the > whole more usable. I linked their manpages to lxc-start and > lxc-attach as the arguments are passed to these commands. > 2. Consequentially, I wrote some more documentation in d/NEWS and > d/README.Debian to help our users understanding how to work with > unprivileged containers as soon as they will dist-upgrade. > 3. Historically, a lxc container had its /proc/sys/net writeable by > root when /proc was mounted with the "mixed" option in LXC > configuration. Upstream broke that and fixed it recently in a commit > in GitHub > https://github.com/lxc/lxc/commit/563ec46266b8967f0ee60e0032bbe66b3b37207c > I imported that patch as not having /proc/sys/net writeable will > break things for our users. > 4. In lxc-net configuration, we added a comment to allow users to honor > systemd's dnsmasq more easily if needed. As it's a comment, it has > no impact. > > Almost all these changes are in debian/ directory and present no risk > for LXC to dysfunction at all. There is just the patch mentioned in 3 > which is imported from upstream, and which changes the code. It has been > tested upstream and the code alteration is minimal. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > If you need any more intel, please do poke me! > > I have not yet uploaded the changes to unstable, as I prefer waiting for > your feedback.
ACK, please go ahead and remove the moreinfo tag once the package is available in unstable. Cheers > > Thanks! > > unblock lxc/1:4.0.6-2 > diff -Nru lxc-4.0.6/debian/changelog lxc-4.0.6/debian/changelog > --- lxc-4.0.6/debian/changelog 2021-01-31 18:29:40.000000000 +0100 > +++ lxc-4.0.6/debian/changelog 2021-06-11 21:43:41.000000000 +0200 > @@ -1,3 +1,18 @@ > +lxc (1:4.0.6-2) unstable; urgency=medium > + > + * d/contrib/lxc-net: Add a commented dnsmasq reference for the users to be > + able to use this configuration if needed. > + * d/contrib/bin/lxc-unpriv-{start,attach} helper scripts to make > + unprivileged containers easier to start manually > + * d/README.Debian: Added some intel about how to handle properly > + unprivileged containers and systemd user sessions, and potential > + filesystem ACL issues/implications > + (Closes: #989317, 987293) > + * d/p/0007: Makes the containers able to have /proc/sys/net rw > + (Closes: #981980) > + > + -- Pierre-Elliott Bécue <p...@debian.org> Fri, 11 Jun 2021 21:43:41 +0200 > + > lxc (1:4.0.6-1) unstable; urgency=medium > > * New upstream version 4.0.6 > diff -Nru lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach > lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach > --- lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach 1970-01-01 > 01:00:00.000000000 +0100 > +++ lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach 2021-06-11 > 21:25:58.000000000 +0200 > @@ -0,0 +1,13 @@ > +#!/bin/bash > + > +if ! ps ux|grep "[s]ystemd --user" > /dev/null 2>&1; then > + echo "Can't start an unprivileged container on a pure CGroups v2 host > without a systemd user session running." > + echo "If you are trying to get a non-interactive user to have > unprivileged containers running, you need to" > + echo "enable lingering sessions for that user, via loginctl > enable-linger ${USER} as root." > + exit 1 > +fi > + > +export XDG_RUNTIME_DIR="/run/user/$UID" > +export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus" > + > +/usr/bin/systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-attach > "$@" > diff -Nru lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start > lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start > --- lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start 1970-01-01 > 01:00:00.000000000 +0100 > +++ lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start 2021-06-11 > 21:25:42.000000000 +0200 > @@ -0,0 +1,13 @@ > +#!/bin/bash > + > +if ! ps ux|grep "[s]ystemd --user" > /dev/null 2>&1; then > + echo "Can't start an unprivileged container on a pure CGroups v2 host > without a systemd user session running." > + echo "If you are trying to get a non-interactive user to have > unprivileged containers running, you need to" > + echo "enable lingering sessions for that user, via loginctl > enable-linger ${USER} as root." > + exit 1 > +fi > + > +export XDG_RUNTIME_DIR="/run/user/$UID" > +export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus" > + > +/usr/bin/systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-start "$@" > diff -Nru lxc-4.0.6/debian/contrib/lxc-net lxc-4.0.6/debian/contrib/lxc-net > --- lxc-4.0.6/debian/contrib/lxc-net 2021-01-31 18:29:40.000000000 +0100 > +++ lxc-4.0.6/debian/contrib/lxc-net 2021-06-11 14:45:58.000000000 +0200 > @@ -1 +1,4 @@ > USE_LXC_BRIDGE="true" > + > +# Honor system's dnsmasq configuration > +#LXC_DHCP_CONFILE=/etc/dnsmasq.conf > diff -Nru lxc-4.0.6/debian/lxc.install lxc-4.0.6/debian/lxc.install > --- lxc-4.0.6/debian/lxc.install 2021-01-31 18:29:40.000000000 +0100 > +++ lxc-4.0.6/debian/lxc.install 2021-06-11 18:09:06.000000000 +0200 > @@ -12,5 +12,7 @@ > usr/share/man > var > > -debian/contrib/default.conf etc/lxc/ > -debian/contrib/lxc-net etc/default/ > +debian/contrib/default.conf etc/lxc/ > +debian/contrib/lxc-net etc/default/ > +debian/contrib/bin/lxc-unpriv-start usr/bin/ > +debian/contrib/bin/lxc-unpriv-attach usr/bin/ > diff -Nru lxc-4.0.6/debian/lxc.links lxc-4.0.6/debian/lxc.links > --- lxc-4.0.6/debian/lxc.links 1970-01-01 01:00:00.000000000 +0100 > +++ lxc-4.0.6/debian/lxc.links 2021-06-11 18:09:06.000000000 +0200 > @@ -0,0 +1,2 @@ > +usr/share/man/man1/lxc-attach.1.gz usr/share/man/man1/lxc-unpriv-attach.1.gz > +usr/share/man/man1/lxc-start.1.gz usr/share/man/man1/lxc-unpriv-start.1.gz > diff -Nru lxc-4.0.6/debian/lxc.postinst lxc-4.0.6/debian/lxc.postinst > --- lxc-4.0.6/debian/lxc.postinst 2021-01-31 18:29:40.000000000 +0100 > +++ lxc-4.0.6/debian/lxc.postinst 2021-06-11 14:45:58.000000000 +0200 > @@ -17,7 +17,7 @@ > if [ -z "$2" ] || dpkg --compare-versions "$2" le > "1:3.1.0+really3.0.3-2"; then > if which apparmor_parser > /dev/null && [ -e > /etc/apparmor.d/lxc-containers ]; then > apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers || \ > - echo "Failed to run 'apparmor_parser -rWT > /etc/apparmor.d/lxc-containers'. You will probably need to runn it by hand at > some point." > + echo "Failed to run 'apparmor_parser -rWT > /etc/apparmor.d/lxc-containers'. You will probably need to run it by hand at > some point." > fi > fi > } > diff -Nru lxc-4.0.6/debian/NEWS lxc-4.0.6/debian/NEWS > --- lxc-4.0.6/debian/NEWS 2021-01-31 18:29:40.000000000 +0100 > +++ lxc-4.0.6/debian/NEWS 2021-06-11 21:43:27.000000000 +0200 > @@ -1,3 +1,11 @@ > +lxc (1:4.0.6-2) unstable; urgency=medium > + > + * A new way of handling unprivileged containers starting and attachment has > + been made available through the lxc-unpriv-start and lxc-unpriv-attach > + commands. See /usr/share/doc/lxc/README.Debian.gz for more details. > + > + -- Pierre-Elliott Bécue <p...@debian.org> Fri, 11 Jun 2021 15:12:15 +0200 > + > lxc (1:4.0.2-1~1) experimental; urgency=medium > > Major changes in the Debian packaging: > diff -Nru > lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch > > lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch > --- > lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch > 2021-06-11 18:27:18.000000000 +0200 > @@ -0,0 +1,88 @@ > +From: =?utf-8?q?Pierre-Elliott_B=C3=A9cue?= <p...@debian.org> > +Date: Fri, 11 Jun 2021 18:26:25 +0200 > +Subject: conf: fix containers retaining CAP_NET_ADMIN > + > +Historically, /proc/sys/net is rw when proc:mixed is used as a proc > +mount parameter. This was broken somewhere in lxc 4, and this patch > +fixed it. > +--- > + src/lxc/cgroups/cgfsng.c | 2 +- > + src/lxc/conf.c | 34 +++++++++++++++++----------------- > + src/lxc/conf.h | 4 ++-- > + 3 files changed, 20 insertions(+), 20 deletions(-) > + > +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c > +index 303c2f6..acc64a7 100644 > +--- a/src/lxc/cgroups/cgfsng.c > ++++ b/src/lxc/cgroups/cgfsng.c > +@@ -1831,7 +1831,7 @@ __cgfsng_ops static bool cgfsng_mount(struct > cgroup_ops *ops, > + } > + > + if (!wants_force_mount) { > +- wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf); > ++ wants_force_mount = !lxc_wants_cap(CAP_SYS_ADMIN, > handler->conf); > + > + /* > + * Most recent distro versions currently have init system that > +diff --git a/src/lxc/conf.c b/src/lxc/conf.c > +index ae49725..d9217a6 100644 > +--- a/src/lxc/conf.c > ++++ b/src/lxc/conf.c > +@@ -620,24 +620,24 @@ static int lxc_mount_auto_mounts(struct lxc_conf > *conf, int flags, struct lxc_ha > + * it's busy... MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for > + * kernels as low as 2.6.32... > + */ > +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", > "%r/proc", "proc", > MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 }, > ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", > "%r/proc", "proc", > MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false }, > + /* proc/tty is used as a temporary placeholder for proc/sys/net > which we'll move back in a few steps */ > +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", > "%r/proc/tty", NULL, MS_BIND, > NULL, 1 }, > +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", > "%r/proc/sys", NULL, MS_BIND, > NULL, 0 }, > +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, > "%r/proc/sys", NULL, > MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 }, > +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", > "%r/proc/sys/net", NULL, MS_MOVE, > NULL, 1 }, > +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, > "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", > NULL, MS_BIND, NULL, 0 }, > +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, > "%r/proc/sysrq-trigger", NULL, > MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 }, > +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", > "%r/proc", "proc", > MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 }, > +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", > "%r/sys", "sysfs", 0, > NULL, 0 }, > +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", > "%r/sys", "sysfs", > MS_RDONLY, NULL, 0 }, > +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", > "%r/sys", "sysfs", > MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 }, > +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", > "%r/sys", NULL, MS_BIND, > NULL, 0 }, > +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, > "%r/sys", NULL, > MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 }, > +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", > "%r/sys/devices/virtual/net", "sysfs", 0, > NULL, 0 }, > +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, > "%r/sys/devices/virtual/net/devices/virtual/net", > "%r/sys/devices/virtual/net", NULL, MS_BIND, > NULL, 0 }, > +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, > "%r/sys/devices/virtual/net", NULL, > MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, 0 }, > +- { 0, 0, NULL, > NULL, NULL, 0, > NULL, 0 } > ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", > "%r/proc/tty", NULL, MS_BIND, > NULL, true }, > ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", > "%r/proc/sys", NULL, MS_BIND, > NULL, false }, > ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, > "%r/proc/sys", NULL, > MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false }, > ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", > "%r/proc/sys/net", NULL, MS_MOVE, > NULL, true }, > ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, > "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", > NULL, MS_BIND, NULL, false }, > ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, > "%r/proc/sysrq-trigger", NULL, > MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false }, > ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", > "%r/proc", "proc", > MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false }, > ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", > "%r/sys", "sysfs", 0, > NULL, false }, > ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", > "%r/sys", "sysfs", > MS_RDONLY, NULL, false }, > ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", > "%r/sys", "sysfs", > MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false }, > ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", > "%r/sys", NULL, MS_BIND, > NULL, false }, > ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, > "%r/sys", NULL, > MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false }, > ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", > "%r/sys/devices/virtual/net", "sysfs", 0, > NULL, false }, > ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, > "%r/sys/devices/virtual/net/devices/virtual/net", > "%r/sys/devices/virtual/net", NULL, MS_BIND, > NULL, false }, > ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, > "%r/sys/devices/virtual/net", NULL, > MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false }, > ++ { 0, 0, NULL, > NULL, NULL, 0, > NULL, false } > + }; > + > + bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf); > +diff --git a/src/lxc/conf.h b/src/lxc/conf.h > +index 664533b..28b679f 100644 > +--- a/src/lxc/conf.h > ++++ b/src/lxc/conf.h > +@@ -509,9 +509,9 @@ static inline bool lxc_wants_cap(int cap, struct > lxc_conf *conf) > + return false; > + > + if (!lxc_list_empty(&conf->keepcaps)) > +- return !in_caplist(cap, &conf->keepcaps); > ++ return in_caplist(cap, &conf->keepcaps); > + > +- return in_caplist(cap, &conf->caps); > ++ return !in_caplist(cap, &conf->caps); > + } > + > + __hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls); > diff -Nru lxc-4.0.6/debian/patches/series lxc-4.0.6/debian/patches/series > --- lxc-4.0.6/debian/patches/series 2021-01-31 18:29:40.000000000 +0100 > +++ lxc-4.0.6/debian/patches/series 2021-06-11 18:28:01.000000000 +0200 > @@ -1,3 +1,4 @@ > 0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch > 0005-lxc.service-Starts-after-remote-fs.target.patch > 0006-lxc.pc.in-removes-DLOG_LIBS-which-is-not-expanded-up.patch > +0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch > diff -Nru lxc-4.0.6/debian/README.Debian lxc-4.0.6/debian/README.Debian > --- lxc-4.0.6/debian/README.Debian 2021-01-31 18:29:40.000000000 +0100 > +++ lxc-4.0.6/debian/README.Debian 2021-06-11 18:38:05.000000000 +0200 > @@ -61,7 +61,23 @@ > In recent systems, that should already be the case. Otherwise, you can add > those entries with `usermod` options --add-subuids and --add-subgids. > > -3) Networking configuration > +3) Permissions checking > + > +Make sure that for your user, .local/share/lxc will be accessible (eXecutable > +bit on the directories) by the root subuid associated with your user (in the > +example above, it'd be uid 100000. > + > +There are at least two solutions if it's not. The firstone is a chmod a+x on > +the directories. If you chose this one do mind the security implications. In > +particular, it is recommended in that case to set your container's rootfs > with > +mode 770 or 750 so that any external user can't see its content. > + > +An alternative is to use setfacl to just give the access to that uid. As the > +user who will run the unprivileged container, from your home, run > + > +$ setfacl --modify user:100000:x . .local .local/share > + > +4) Networking configuration > > The easiest way to setup networking is to use lxc-net, which is enabled by > default for containers started by root. For non-root unprivileged containers, > @@ -69,7 +85,7 @@ > > # echo myusername veth lxcbr0 10 >> /etc/lxc/lxc-usernet > > -4) Default container configuration > +5) Default container configuration > > Add the following to ~/.config/lxc/default.conf: > > @@ -82,13 +98,13 @@ > The lxc.idmap entries must match the id ranges in /etc/subuid and > /etc/subgid, > as explained in step 2 above. > > -5) Creating containers > +6) Creating containers > > non-root users can only use the `download` template. Example: > > $ lxc-create -t download -n mycontainer -- -d debian -r bullseye -a amd64 > > -6) Starting containers > +7) Starting containers > > Under the unified groups hierarchy (default in systemd starting with Debian > 11/bullseye), a non-root user needs lxc-start to have some additional > @@ -99,11 +115,34 @@ > $ systemd-run --scope --quiet --user --property=Delegate=yes \ > lxc-start -n mycontainer > > -7) Managing containers > +or, lastly, you can use the helper script Debian made available: > +lxc-unpriv-start. It'll care about using the systemd-run command properly and > +also to make sure the required environment variables are set properly. > + > +8) Managing containers > > When not logged in on a graphical session, lxc-attach also requires being run > -via systemd-run as lxc-start above. Other common actions, such as lxc-stop > and > -lxc-destroy, can be run directly. > +via systemd-run as lxc-start above. Other common actions, such as > lxc-console, > +lxc-stop and lxc-destroy, can be run directly. > + > +Debian also made available a lxc-unpriv-attach command to ease the use of > +lxc-attach. > + > +9) Avoiding containers destruction by systemd > + > +When exiting a user session (closing ssh or a tty), the remaining processes > +running in background die, including the containers. The solution to avoid > such > +an issue is to either have the unprivileged containers running as a user > +service, or to enable session lingering via loginctl. > + > +As a user, if policykit-1 is installed, it's just a call to `loginctl > +enable-linger` > + > +If policykit-1 can't be installed, then one must be root and do a `sudo > +loginctl enable-linger {username}`. > + > +Containers started via systemd-run won't get killed. > > -- Evgeni Golov <evg...@debian.org> Sat, 16 Jul 2016 11:49:16 +0200 > -- Antonio Terceiro <terce...@debian.org> Sat, 30 Jan 2021 10:02:37 -0300 > + -- Pierre-Elliott Bécue <p...@debian.org> Fri, 11 Jun 2021 15:08:30 +0200 -- Sebastian Ramacher
signature.asc
Description: PGP signature