Re: [lxc-devel] Containers on linux-4.8-rc1 sometimes(?) requiring "cgmanager -m name=systemd" (bisected, but is it a bug?)

"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> Adam Richter writes: >> >> > On Linux 4.8-rc1 through 4-8-rc6 (latest rc), lxc fails start to >> > Ubuntu 16.04 and Centos 7 containers [1], unless I first run >

Re: [lxc-devel] [PATCH RFC] Introduce new security.nscapability xattr

"Serge E. Hallyn" writes: > A common way for daemons to run with minimal privilege is to start as root, > perhaps setuid-root, choose a desired capability set, set PR_SET_KEEPCAPS, > then change uid to non-root. A simpler way to achieve this is to set file > capabilities on a not-setuid-root bin

Re: [lxc-devel] CGroup Namespaces (v4)

"Serge E. Hallyn" writes: > On Mon, Nov 16, 2015 at 04:24:27PM -0600, Eric W. Biederman wrote: >> Similary have you considered what it required to be able to safely set >> FS_USERNS_MOUNT? > > I pushed the one patch which I feel is needed to my branch (it

Re: [lxc-devel] CGroup Namespaces (v4)

"Serge E. Hallyn" writes: > On Mon, Nov 16, 2015 at 09:50:55PM +0100, Richard Weinberger wrote: >> Am 16.11.2015 um 21:46 schrieb Serge E. Hallyn: >> > On Mon, Nov 16, 2015 at 09:41:15PM +0100, Richard Weinberger wrote: >> >> Serge, >> >> >> >> On Mon, Nov 16, 2015 at 8:51 PM, wrote: >> >>> To

Re: [lxc-devel] Working with glibc (PID/TID caches).

"Carlos O'Donell" writes: > On 08/06/2014 05:46 PM, Serge Hallyn wrote: >> Quoting Eric W. Biederman (ebied...@xmission.com): >>> Serge Hallyn writes: > > Reviving this super-old discussion because it went in a direction > that I didn't

Re: [lxc-devel] Working with glibc (PID/TID caches).

"Carlos O'Donell" writes: > On 05/16/2015 01:03 AM, Eric W. Biederman wrote: >>> Such reasons would help inform a new API design. >> >> So we could specify flags that create namespaces aka: CLONE_NEWNS, >> CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWU

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

Andy Lutomirski writes: > On Mon, Sep 29, 2014 at 4:22 PM, Eric W. Biederman > wrote: >> Andy Lutomirski writes: >> >>> To me, this smells like MNT_DETACH does something awful when there are >>> mounts under the detached mount. >>> >>> F

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

Andy Lutomirski writes: > To me, this smells like MNT_DETACH does something awful when there are > mounts under the detached mount. > > For example: > > mount --rbind / /mnt > umount -l /mnt > > does *not* end well on my system. I find it hard to believe that this > behavior is intentional. Hmm

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

Andy Lutomirski writes: > On Mon, Sep 29, 2014 at 3:46 PM, Serge Hallyn wrote: >> Quoting Andy Lutomirski (l...@amacapital.net): >>> On Mon, Sep 29, 2014 at 2:46 PM, Serge Hallyn >>> wrote: >>> I'm not sure that "/" is well-defined. You have oldroot mounted on >> >> Whoa. Seems you're right.

Re: [lxc-devel] Using devices in Containers

riya khanna writes: > What kind of existing multiplexers could be used? Is there one for fb? We have > evdev abstractions for input in place already. We have X and Wayland/Weston and pulse audio and doubtless more that I am not aware of. For video a lot of working is going into compositing and

Re: [lxc-devel] Using devices in Containers

riya khanna writes: > Is there a plan or work-in-progress to add namespace tags to other > classes in sysfs similar to net? Does it make sense to add namespace > tags to kobjects? Currently the a general nack from gregkh on such work. Given that sysfs is almost never a fast path I suspect it ma

Re: [lxc-devel] Using devices in Containers

Riya Khanna writes: > On Sep 24, 2014, at 12:43 PM, Eric W. Biederman wrote: > >> Serge Hallyn writes: >> >>> Isolation is provided by the devices cgroup. You want something more >>> than isolation. >>> >>> Quoting riya khanna (riyakha

[lxc-devel] Using devices in Containers (was: device namespaces)

Serge Hallyn writes: > Isolation is provided by the devices cgroup. You want something more > than isolation. > > Quoting riya khanna (riyakhanna1...@gmail.com): >> My use case for having device namespaces is device isolation. Isn't what >> namespaces are there for (as I understand)? Namespaces

Re: [lxc-devel] device namespaces

riya khanna writes: > (Please pardon multiple emails, artifact of merging all separate > conversations) > > Thanks for your feedback! > > Letting the kernel know about what devices a container could access (based on > device cgroups) and having devtmpfs in the kernel create device nodes for a >

Re: [lxc-devel] Working with glibc (PID/TID caches).

Serge Hallyn writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> It would be nice if at least malloc and C++ new were safe (and >> documented as safe) after fork in a pthread environment. That would go >> a long ways to allowing running interesting set up code

Re: [lxc-devel] Working with glibc (PID/TID caches).

While talking about pain points there is a very large one. In short pthreads break fork(). At least according to the open group after fork (when more than one pthread is active) and by extension clone(CLONE_NEW...) it is only safe to call async-signal-safe functions. The rationale being that so

Re: [lxc-devel] Working with glibc (PID/TID caches).

Serge Hallyn writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> Serge Hallyn writes: >> >> > Quoting Eric W. Biederman (ebied...@xmission.com): >> >> >> >> Serge Hallyn writes: >> >> > Quoting Carlos O'Donell (

Re: [lxc-devel] Working with glibc (PID/TID caches).

Serge Hallyn writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> >> Serge Hallyn writes: >> > Quoting Carlos O'Donell (car...@redhat.com): >> >> There was a complaint a while back from someone working >> >> on containers about

Re: [lxc-devel] Working with glibc (PID/TID caches).

Serge Hallyn writes: > Quoting Carlos O'Donell (car...@redhat.com): >> There was a complaint a while back from someone working >> on containers about glibc PID caching. I recently received >> another request to provide userspace with a way to reset >> any PID or TID caches to make clone-based san

Re: [lxc-devel] [PATCH 3/3] fuse: Allow mounts from user namespaces

Seth Forshee writes: > On Mon, Jul 21, 2014 at 03:09:14PM +0200, Miklos Szeredi wrote: >> On Mon, Jul 21, 2014 at 2:47 PM, Seth Forshee >> wrote: >> > On Fri, Jul 18, 2014 at 05:33:23PM +0200, Miklos Szeredi wrote: >> >> On Mon, Jul 14, 2014 at 9:18 PM, Seth Forshee >> >> wrote: >> >> > Update

Re: [lxc-devel] [RFC] Per-user namespace process accounting

James Bottomley writes: > On Tue, 2014-06-03 at 10:54 -0700, Eric W. Biederman wrote: >> >> 90% of that work is already done. >> >> As long as we don't plan to support XFS (as it XFS likes to expose it's >> implementation details to userspace) it s

Re: [lxc-devel] [RFC] Per-user namespace process accounting

-- >>>>> Hash: SHA1 >>>>> >>>>> On 05/29/2014 01:06 PM, Eric W. Biederman wrote: >>>>>> Marian Marinov writes: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I have

Re: [lxc-devel] [RFC] Per-user namespace process accounting

Serge Hallyn writes: > Quoting Pavel Emelyanov (xe...@parallels.com): >> On 05/29/2014 07:32 PM, Serge Hallyn wrote: >> > Quoting Marian Marinov (m...@1h.com): >> >> We are not using NFS. We are using a shared block storage that offers us >> >> snapshots. So provisioning new containers is >> >>

Re: [lxc-devel] [RFC] Per-user namespace process accounting

Marian Marinov writes: > Hello, > > I have the following proposition. > > Number of currently running processes is accounted at the root user > namespace. The problem I'm facing is that multiple > containers in different user namespaces share the process counters. That is deliberate. > So if c

Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

"Serge E. Hallyn" writes: >> I was aware of FUSE but hadn't ever looked at it much. Looking at it >> now, this isn't going to satisfy any of the use cases I know about, >> which are wanting to use filesystems supported in-kernel (isofs, ext*). >> I don't see that any of these have a FUSE implement

Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

Serge Hallyn writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> >> >> >> Ultimately the technical challenge is how do we create a block device >> >> that is safe for a user who does not have any capabilities to use, and >> >> what

Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

>> Ultimately the technical challenge is how do we create a block device >> that is safe for a user who does not have any capabilities to use, and >> what can we do with that block device to make it useful. > > Yes, and I'd like to get started solving those challenges. But I also > don't think we

Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

Seth Forshee writes: > What I set out for was feature parity between loop devices in a secure > container and loop devices on the host. Since some operations currently > check for system-wide CAP_SYS_ADMIN, the only way I see to accomplish > this is to push knowledge of the user namespace farther

Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

Greg Kroah-Hartman writes: > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote: >> > I think having to pick and choose what device nodes you want in a >> > container is a good thing. Becides, you would have to do the same thing >> > in the kernel anyway, what's wrong with userspace ma

Re: [lxc-devel] capset fails with userns

Serge Hallyn writes: > Quoting Stephan Sachse (ste.sac...@gmail.com): >> w/ userns: >> [root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping >> Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted) >> [root@fedora2 ~]# id >> uid=0(root) gid=0(root) groups=0(

Re: [lxc-devel] Unprivileged setns

Stéphane Graber writes: > The problem obviously comes from those two error messages which say that > setns back to the original namespace failed. > > I can't think of a nice way around this particular limitation nor am I > convinced that there is any safe way to fix that at the kernel level. > (C