Hey Serge, On Tue, May 12, 2015 at 6:28 PM, Serge Hallyn <serge.hal...@ubuntu.com> wrote: > Quoting S.Çağlar Onur (cag...@10ur.org): >> Hey, >> >> On Tue, May 12, 2015 at 2:43 PM, Stéphane Graber <stgra...@ubuntu.com> wrote: >> > On Tue, May 12, 2015 at 02:27:48PM -0400, S.Çağlar Onur wrote: >> >> Otherwise calling list_defined_containers just after installing LXC ends >> >> up with the following error >> >> >> >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or >> >> directory - opendir on lxcpath >> >> >> >> $ /home/caglar/go/src/gopkg.in/lxc/go-lxc.v2/examples/list >> >> 2015/05/12 14:23:08 Defined containers: >> >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or >> >> directory - opendir on lxcpath >> >> 2015/05/12 14:23:08 >> >> 2015/05/12 14:23:08 Active containers: >> >> 2015/05/12 14:23:08 >> >> 2015/05/12 14:23:08 Active and Defined containers: >> >> $ >> >> >> >> Signed-off-by: S.Çağlar Onur <cag...@10ur.org> >> >> --- >> >> src/lxc/lxccontainer.c | 5 +++++ >> >> 1 file changed, 5 insertions(+) >> >> >> >> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c >> >> index 8999f44..e8bade3 100644 >> >> --- a/src/lxc/lxccontainer.c >> >> +++ b/src/lxc/lxccontainer.c >> >> @@ -3965,6 +3965,11 @@ int list_defined_containers(const char *lxcpath, >> >> char ***names, struct lxc_conta >> >> if (!lxcpath) >> >> lxcpath = lxc_global_config_value("lxc.lxcpath"); >> >> >> >> + if (mkdir_p(lxcpath, 0755) < 0) { >> > >> > I'm not yet sure that we really want to do the mkdir, but the dir >> > permission there is wrong, lxcpath should be 700. >> > >> > The reason for this is to avoid security issues where an unprivileged >> > user can traverse through lxcpath and find an old setuid binary with a >> > security issue they can use to gain root. >> >> Hmm I tried 700 first but failed and thought it needs to be 755 cause it >> tell me >> >> Permission denied - could not access /home/caglar/.local/share/lxc. >> Please grant it 'x' access, or add an ACL for the container root. > > Yeah no, for unprivileged containers we leave lxcpath 755, and > make $lxcpath/$lxcname be 750, owned by the container root and > group-owned by owner.
OK, then unless I miss something else this patch is using the correct mode, it's just whether we want mkdir or not? >> Do you see anything weird with the following setup? >> >> caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat >> /home/caglar/.local/ >> File: ‘/home/caglar/.local/’ >> Size: 10 Blocks: 0 IO Block: 4096 directory >> Device: 28h/40d Inode: 283 Links: 1 >> Access: (0755/drwxr-xr-x) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar) >> Access: 2015-05-12 14:51:28.458063615 -0400 >> Modify: 2015-04-23 17:12:43.084709204 -0400 >> Change: 2015-05-12 14:51:27.698078130 -0400 >> Birth: - >> >> caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat >> /home/caglar/.local/share/ >> File: ‘/home/caglar/.local/share/’ >> Size: 454 Blocks: 0 IO Block: 4096 directory >> Device: 28h/40d Inode: 284 Links: 1 >> Access: (0755/drwxr-xr-x) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar) >> Access: 2015-05-12 14:50:33.931108423 -0400 >> Modify: 2015-05-12 14:41:45.317654121 -0400 >> Change: 2015-05-12 14:51:28.922054753 -0400 >> Birth: - >> >> caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ stat >> /home/caglar/.local/share/lxc/ >> File: ‘/home/caglar/.local/share/lxc/’ >> Size: 32 Blocks: 0 IO Block: 4096 directory >> Device: 28h/40d Inode: 4233 Links: 1 >> Access: (0700/drwx------) Uid: ( 1000/ caglar) Gid: ( 1000/ caglar) >> Access: 2015-05-12 14:51:07.050473182 -0400 >> Modify: 2015-05-12 14:51:05.054511412 -0400 >> Change: 2015-05-12 14:51:05.054511412 -0400 >> Birth: - >> >> caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ ./create >> 2015/05/12 14:52:08 Creating container... >> >> caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ lxc-start -d -n >> rubik --logfile log --logpriority debug >> lxc-start: lxc_start.c: main: 344 The container failed to start. >> lxc-start: lxc_start.c: main: 346 To get more details, run the >> container in foreground mode. >> lxc-start: lxc_start.c: main: 348 Additional information can be >> obtained by setting the --logfile and --logpriority options. >> >> caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ grep ERROR log >> lxc-start 1431456777.743 ERROR lxc_start - >> start.c:print_top_failing_dir:102 - Permission denied - could not >> access /home/caglar/.local/share/lxc. Please grant it 'x' access, or >> add an ACL for the container root. >> lxc-start 1431456777.743 ERROR lxc_sync - >> sync.c:__sync_wait:51 - invalid sequence number 1. expected 2 >> lxc-start 1431456777.787 ERROR lxc_start - >> start.c:__lxc_start:1164 - failed to spawn 'rubik' >> lxc-start 1431456782.794 ERROR lxc_start_ui - >> lxc_start.c:main:344 - The container failed to start. >> lxc-start 1431456782.794 ERROR lxc_start_ui - >> lxc_start.c:main:346 - To get more details, run the container in >> foreground mode. >> lxc-start 1431456782.794 ERROR lxc_start_ui - >> lxc_start.c:main:348 - Additional information can be obtained by >> setting the --logfile and --logpriority options. >> caglar@pop:~/go/src/gopkg.in/lxc/go-lxc.v2/examples$ >> >> >> + SYSERROR("failed to create lxcpath directory %s", lxcpath); >> >> + return -1; >> >> + } >> >> + >> >> dir = opendir(lxcpath); >> >> if (!dir) { >> >> SYSERROR("opendir on lxcpath"); >> >> -- >> >> 2.1.4 >> >> >> >> _______________________________________________ >> >> lxc-devel mailing list >> >> lxc-devel@lists.linuxcontainers.org >> >> http://lists.linuxcontainers.org/listinfo/lxc-devel >> > >> > -- >> > Stéphane Graber >> > Ubuntu developer >> > http://www.ubuntu.com >> > >> > _______________________________________________ >> > lxc-devel mailing list >> > lxc-devel@lists.linuxcontainers.org >> > http://lists.linuxcontainers.org/listinfo/lxc-devel >> > >> >> >> >> -- >> S.Çağlar Onur <cag...@10ur.org> >> _______________________________________________ >> lxc-devel mailing list >> lxc-devel@lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-devel > _______________________________________________ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- S.Çağlar Onur <cag...@10ur.org> _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel