Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled

2015-01-05 Thread Chen, Hanxiao 


 -Original Message-
 From: libvir-list-boun...@redhat.com [mailto:libvir-list-boun...@redhat.com] 
 On
 Behalf Of Chen Hanxiao
 Sent: Monday, December 22, 2014 11:57 AM
 To: libvir-list@redhat.com
 Subject: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user 
 namespce
 enabled
 
 If we enabled user ns and provided a uid/gid map,
 we do not need to mount /proc, /sys as readonly.
 Leave it to kernel for protection.
 
 Signed-off-by: Chen Hanxiao chenhanx...@cn.fujitsu.com
 ---

ping

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled

2014-12-24 Thread Richard Weinberger 
Am 24.12.2014 um 03:23 schrieb Chen, Hanxiao:
 
 
 -Original Message-
 From: Richard Weinberger [mailto:richard.weinber...@gmail.com]
 Sent: Wednesday, December 24, 2014 5:36 AM
 To: Eric Blake
 Cc: Chen, Hanxiao/陈 晗霄; libvir-list@redhat.com
 Subject: Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user
 namespce enabled

 On Mon, Dec 22, 2014 at 4:12 PM, Eric Blake ebl...@redhat.com wrote:
 On 12/21/2014 08:57 PM, Chen Hanxiao wrote:

 s/namespce/namespace/ in the subject line

 If we enabled user ns and provided a uid/gid map,
 we do not need to mount /proc, /sys as readonly.
 Leave it to kernel for protection.

 Signed-off-by: Chen Hanxiao chenhanx...@cn.fujitsu.com
 ---
  src/lxc/lxc_container.c | 6 ++
  1 file changed, 6 insertions(+)

 I'll leave the actual patch review to someone more familiar with LXC
 namespace setups

 This change will still mount some useless stuff like:
 { /.oldroot/proc/sys/net/ipv4, /proc/sys/net/ipv4, NULL,
 MS_BIND, false, false, true },
 { /.oldroot/proc/sys/net/ipv6, /proc/sys/net/ipv6, NULL,
 MS_BIND, false, false, true },

 You can set skipUserNS for these.
 
 Thanks, I didn't notice that.
 

 But I *really* would like to see /proc and /sys mounted RW as default.
 Please see my comment to:
 [libvirt] [PATCHv3] lxc: give RW access to /proc/sys/net/ipv[46] to 
 containers
 
 I see your new comments in that thread.
 If libvirt enable userns(provided a uid/gid map in XML),
 it's safe to drop RO mount completely;
 If not, I'm not sure whether it will bring back compatibility issues.
 
 So let's wait for more comments from maintainers.

I Agree

Thanks,
//richard

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled

2014-12-23 Thread Richard Weinberger 
On Mon, Dec 22, 2014 at 4:12 PM, Eric Blake ebl...@redhat.com wrote:
 On 12/21/2014 08:57 PM, Chen Hanxiao wrote:

 s/namespce/namespace/ in the subject line

 If we enabled user ns and provided a uid/gid map,
 we do not need to mount /proc, /sys as readonly.
 Leave it to kernel for protection.

 Signed-off-by: Chen Hanxiao chenhanx...@cn.fujitsu.com
 ---
  src/lxc/lxc_container.c | 6 ++
  1 file changed, 6 insertions(+)

 I'll leave the actual patch review to someone more familiar with LXC
 namespace setups

This change will still mount some useless stuff like:
{ /.oldroot/proc/sys/net/ipv4, /proc/sys/net/ipv4, NULL,
MS_BIND, false, false, true },
{ /.oldroot/proc/sys/net/ipv6, /proc/sys/net/ipv6, NULL,
MS_BIND, false, false, true },

You can set skipUserNS for these.

But I *really* would like to see /proc and /sys mounted RW as default.
Please see my comment to:
[libvirt] [PATCHv3] lxc: give RW access to /proc/sys/net/ipv[46] to containers

-- 
Thanks,
//richard

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled

2014-12-23 Thread Chen, Hanxiao 


 -Original Message-
 From: Richard Weinberger [mailto:richard.weinber...@gmail.com]
 Sent: Wednesday, December 24, 2014 5:36 AM
 To: Eric Blake
 Cc: Chen, Hanxiao/陈 晗霄; libvir-list@redhat.com
 Subject: Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user
 namespce enabled
 
 On Mon, Dec 22, 2014 at 4:12 PM, Eric Blake ebl...@redhat.com wrote:
  On 12/21/2014 08:57 PM, Chen Hanxiao wrote:
 
  s/namespce/namespace/ in the subject line
 
  If we enabled user ns and provided a uid/gid map,
  we do not need to mount /proc, /sys as readonly.
  Leave it to kernel for protection.
 
  Signed-off-by: Chen Hanxiao chenhanx...@cn.fujitsu.com
  ---
   src/lxc/lxc_container.c | 6 ++
   1 file changed, 6 insertions(+)
 
  I'll leave the actual patch review to someone more familiar with LXC
  namespace setups
 
 This change will still mount some useless stuff like:
 { /.oldroot/proc/sys/net/ipv4, /proc/sys/net/ipv4, NULL,
 MS_BIND, false, false, true },
 { /.oldroot/proc/sys/net/ipv6, /proc/sys/net/ipv6, NULL,
 MS_BIND, false, false, true },
 
 You can set skipUserNS for these.

Thanks, I didn't notice that.

 
 But I *really* would like to see /proc and /sys mounted RW as default.
 Please see my comment to:
 [libvirt] [PATCHv3] lxc: give RW access to /proc/sys/net/ipv[46] to containers

I see your new comments in that thread.
If libvirt enable userns(provided a uid/gid map in XML),
it's safe to drop RO mount completely;
If not, I'm not sure whether it will bring back compatibility issues.

So let's wait for more comments from maintainers.

Regards,
- Chen
 
 --
 Thanks,
 //richard

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled

2014-12-22 Thread Eric Blake 
On 12/21/2014 08:57 PM, Chen Hanxiao wrote:

s/namespce/namespace/ in the subject line

 If we enabled user ns and provided a uid/gid map,
 we do not need to mount /proc, /sys as readonly.
 Leave it to kernel for protection.
 
 Signed-off-by: Chen Hanxiao chenhanx...@cn.fujitsu.com
 ---
  src/lxc/lxc_container.c | 6 ++
  1 file changed, 6 insertions(+)

I'll leave the actual patch review to someone more familiar with LXC
namespace setups


-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled

2014-12-21 Thread Chen Hanxiao 
If we enabled user ns and provided a uid/gid map,
we do not need to mount /proc, /sys as readonly.
Leave it to kernel for protection.

Signed-off-by: Chen Hanxiao chenhanx...@cn.fujitsu.com
---
 src/lxc/lxc_container.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 1b9e2f2..3b5845a 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -983,6 +983,12 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
 goto cleanup;
 }
 
+/* don't readonly mount when userns is enabled */
+if (userns_enabled) {
+VIR_FREE(mnt_src);
+continue;
+}
+
 if (bindOverReadonly 
 mount(mnt_src, mnt-dst, NULL,
   MS_BIND|MS_REMOUNT|MS_RDONLY, NULL)  0) {
-- 
1.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list