Quoting S.Çağlar Onur (cag...@10ur.org): > Hey, > > On Tue, May 12, 2015 at 2:43 PM, Stéphane Graber <stgra...@ubuntu.com> wrote: > > On Tue, May 12, 2015 at 02:27:48PM -0400, S.Çağlar Onur wrote: > >> Otherwise calling list_defined_containers just after installing LXC ends > >> up with the following error > >> > >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or > >> directory - opendir on lxcpath > >> > >> $ /home/caglar/go/src/gopkg.in/lxc/go-lxc.v2/examples/list > >> 2015/05/12 14:23:08 Defined containers: > >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or > >> directory - opendir on lxcpath > >> 2015/05/12 14:23:08 > >> 2015/05/12 14:23:08 Active containers: > >> 2015/05/12 14:23:08 > >> 2015/05/12 14:23:08 Active and Defined containers: > >> $ > >> > >> Signed-off-by: S.Çağlar Onur <cag...@10ur.org> > >> --- > >> src/lxc/lxccontainer.c | 5 +++++ > >> 1 file changed, 5 insertions(+) > >> > >> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c > >> index 8999f44..e8bade3 100644 > >> --- a/src/lxc/lxccontainer.c > >> +++ b/src/lxc/lxccontainer.c > >> @@ -3965,6 +3965,11 @@ int list_defined_containers(const char *lxcpath, > >> char ***names, struct lxc_conta > >> if (!lxcpath) > >> lxcpath = lxc_global_config_value("lxc.lxcpath"); > >> > >> + if (mkdir_p(lxcpath, 0755) < 0) { > > > > I'm not yet sure that we really want to do the mkdir, but the dir > > permission there is wrong, lxcpath should be 700. > > > > The reason for this is to avoid security issues where an unprivileged > > user can traverse through lxcpath and find an old setuid binary with a > > security issue they can use to gain root. > > Hmm I tried 700 first but failed and thought it needs to be 755 cause it tell > me > > Permission denied - could not access /home/caglar/.local/share/lxc. > Please grant it 'x' access, or add an ACL for the container root.
Yeah no, for unprivileged containers we leave lxcpath 755, and make $lxcpath/$lxcname be 750, owned by the container root and group-owned by owner. > Do you see anything weird with the following setup? > > caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat /home/caglar/.local/ > File: ‘/home/caglar/.local/’ > Size: 10 Blocks: 0 IO Block: 4096 directory > Device: 28h/40d Inode: 283 Links: 1 > Access: (0755/drwxr-xr-x) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar) > Access: 2015-05-12 14:51:28.458063615 -0400 > Modify: 2015-04-23 17:12:43.084709204 -0400 > Change: 2015-05-12 14:51:27.698078130 -0400 > Birth: - > > caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat > /home/caglar/.local/share/ > File: ‘/home/caglar/.local/share/’ > Size: 454 Blocks: 0 IO Block: 4096 directory > Device: 28h/40d Inode: 284 Links: 1 > Access: (0755/drwxr-xr-x) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar) > Access: 2015-05-12 14:50:33.931108423 -0400 > Modify: 2015-05-12 14:41:45.317654121 -0400 > Change: 2015-05-12 14:51:28.922054753 -0400 > Birth: - > > caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat > /home/caglar/.local/share/lxc/ > File: ‘/home/caglar/.local/share/lxc/’ > Size: 32 Blocks: 0 IO Block: 4096 directory > Device: 28h/40d Inode: 4233 Links: 1 > Access: (0700/drwx------) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar) > Access: 2015-05-12 14:51:07.050473182 -0400 > Modify: 2015-05-12 14:51:05.054511412 -0400 > Change: 2015-05-12 14:51:05.054511412 -0400 > Birth: - > > caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ ./create > 2015/05/12 14:52:08 Creating container... > > caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ lxc-start -d -n > rubik --logfile log --logpriority debug > lxc-start: lxc_start.c: main: 344 The container failed to start. > lxc-start: lxc_start.c: main: 346 To get more details, run the > container in foreground mode. > lxc-start: lxc_start.c: main: 348 Additional information can be > obtained by setting the --logfile and --logpriority options. > > caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ grep ERROR log > lxc-start 1431456777.743 ERROR lxc_start - > start.c:print_top_failing_dir:102 - Permission denied - could not > access /home/caglar/.local/share/lxc. Please grant it 'x' access, or > add an ACL for the container root. > lxc-start 1431456777.743 ERROR lxc_sync - > sync.c:__sync_wait:51 - invalid sequence number 1. expected 2 > lxc-start 1431456777.787 ERROR lxc_start - > start.c:__lxc_start:1164 - failed to spawn 'rubik' > lxc-start 1431456782.794 ERROR lxc_start_ui - > lxc_start.c:main:344 - The container failed to start. > lxc-start 1431456782.794 ERROR lxc_start_ui - > lxc_start.c:main:346 - To get more details, run the container in > foreground mode. > lxc-start 1431456782.794 ERROR lxc_start_ui - > lxc_start.c:main:348 - Additional information can be obtained by > setting the --logfile and --logpriority options. > caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ > > >> + SYSERROR("failed to create lxcpath directory %s", lxcpath); > >> + return -1; > >> + } > >> + > >> dir = opendir(lxcpath); > >> if (!dir) { > >> SYSERROR("opendir on lxcpath"); > >> -- > >> 2.1.4 > >> > >> _______________________________________________ > >> lxc-devel mailing list > >> lxc-devel@lists.linuxcontainers.org > >> http://lists.linuxcontainers.org/listinfo/lxc-devel > > > > -- > > Stéphane Graber > > Ubuntu developer > > http://www.ubuntu.com > > > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > > > > > -- > S.Çağlar Onur <cag...@10ur.org> > _______________________________________________ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel