Ubuntu
lxc package

lxc-info, lxc-stop and lxc-list doesn't work for non-root users

Bug #1090462 reported by Gleb Peregud
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Hello

After running both "sudo lxc-setuid" and "sudo lxc-setcap", both lxc-info and lxc-stop still doesn't work. Here's an example:

gleber@first:/etc/apt/sources.list.d$ lxc-start-ephemeral -d -o ci1
Setting up ephemeral container...
Starting up the container...
ci1-temp-RTqI6s8 is running
You connect with the command:
sudo lxc-console -n ci1-temp-RTqI6s8

gleber@first:/etc/apt/sources.list.d$ lxc-info -n ci1-temp-RTqI6s8
lxc-info: failed to get state for 'ci1-temp-RTqI6s8': Permission denied
gleber@first:/etc/apt/sources.list.d$ lxc-stop -n ci1-temp-RTqI6s8
lxc-stop: failed to stop 'ci1-temp-RTqI6s8': Permission denied

I've tried extending "lxc-setuid" and "lxc-setcap" to add setuid and caps to lxc-stop and lxc-info, but failed to make it work.

lxc version is (installed from Raring):

gleber@first:/etc/apt/sources.list.d$ sudo aptitude show lxc | grep Version
Version: 0.8.0~rc1-4ubuntu48

Ubuntu version is:

gleber@first:/etc/apt/sources.list.d$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.10
Release: 12.10
Codename: quantal

Best,
Gleb
---
ApportVersion: 2.7-0ubuntu2
Architecture: i386
DistroRelease: Ubuntu 12.10
KernLog:

MarkForUpload: True
NonfreeKernelModules: nvidia
Package: lxc 0.8.0~rc1-4ubuntu48 [modified: usr/bin/lxc-setcap usr/bin/lxc-setuid]
PackageArchitecture: i386
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-3.5.0-19-generic root=UUID=e8e7b19c-1179-4cf0-9a7b-5879fb916154 ro quiet splash
ProcEnviron:
 TERM=rxvt-unicode
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 3.5.0-19.30-generic 3.5.7
Tags: quantal
Uname: Linux 3.5.0-19-generic i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: audio libvirtd sudo
lxcsyslog:

modified.conffile..etc.default.lxc: [modified]
mtime.conffile..etc.default.lxc: 2012-12-12T17:39:04.517138

See original description
Revision history for this message
Gleb Peregud (gleber-p) wrote : Dependencies.txt

apport information

tags: added: apport-collected quantal
description: updated
Revision history for this message
Gleb Peregud (gleber-p) wrote : RelatedPackageVersions.txt

apport information

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

As documented in the server guide (https://help.ubuntu.com/12.04/serverguide/lxc.html), lxc-setcap is not recommended.

Unprivileged use of lxc will hopefully be a feature in 14.04, after user namespaces are fully functional.

In the mean time, creation, starting, and stopping of containers in general should be done as root.

Changed in lxc (Ubuntu):
status: New → Won't Fix
Revision history for this message
Gleb Peregud (gleber-p) wrote :

Oops, missed the point that lxc-setcap is not recommended. Thank you for the response!

Is it possible to get it to work using some yet-unsupported version of the kernel? Can you point out some feature status document where I can read about what is missing?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1090462] Re: lxc-info, lxc-stop and lxc-list doesn't work for non-root users

Quoting Gleb Peregud (<email address hidden>):
> Oops, missed the point that lxc-setcap is not recommended. Thank you for
> the response!
>
> Is it possible to get it to work using some yet-unsupported version of
> the kernel? Can you point out some feature status document where I can
> read about what is missing?

The last time I set up containers working with user namespaces I
documented it at

http://s3hh.wordpress.com/2012/10/31/full-ubuntu-container-confined-in-a-user-namespace/

Most of the kernel patches in there were actually just accepted
into Linus' tree at the last (current?) window.

However, to get what you want, we need one more step of splitting
up the lxc tools a bit to support use by unprivileged users. (A
few things will still require privilege, like hooking the host
end of the container's network tunnel into the host bridge, and
setting up the uid mapping. Those will become usable by unprivileged
users once they've been authorized - for instance an admin with
privilege will authorize uid 1000 to map userids 100,000-199,999.

The plan right now is to do that work during the next (13.10) cycle.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.