nspawn: --private-users mounts /proc owned by 65534:65534, uidshifted root can't access /proc entries #3052
Description
Submission type
- Bug report
- Request for enhancement (RFE)
systemd version the issue has been seen with
systemd 229
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
Used distribution
Fedora:
fedora-release-24-0.16.noarch
kernel-4.5.1-300.fc24.x86_64
systemd-229-7.fc24.x86_64
In case of bug report: Unexpected behaviour you saw
I'm testing running a full Fedora 24 OS container with USER_NS support: /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --settings=override --machine=ipa43b --network-macvlan=enp2s0 --private-users=10000. I have used uidmapshift before starting the container and the container does start up.
However, entries under /proc and /sys are owned by 65534:65534 within the container, causing various programs to fail. I would expect that these entries would be uidshifted to 0:0 when appropriate as well so the container can make use of them.
Firewalld in the container fails to do anything useful, as it can't read /proc/net/ip_tables_names
-bash-4.3# cat /proc/net/ip_tables_names
cat: /proc/net/ip_tables_names: Permission denied
Google-ing yields more information for LXC than systemd-nspawn and the only pointer I could find was http://stackoverflow.com/questions/23417521/mounting-proc-in-non-privileged-namespace-sandbox which seemed to indicate that /proc might need the MS_REC mount flag, though that may be a complete red herring.
-bash-4.3# ls -n /proc
total 0
dr-xr-xr-x. 9 0 0 0 Apr 17 08:28 1
dr-xr-xr-x. 9 0 0 0 Apr 17 08:52 114
dr-xr-xr-x. 9 0 0 0 Apr 17 08:28 15
dr-xr-xr-x. 9 81 81 0 Apr 17 08:28 30
dr-xr-xr-x. 9 998 997 0 Apr 17 08:28 31
dr-xr-xr-x. 9 0 0 0 Apr 17 08:28 32
dr-xr-xr-x. 9 0 0 0 Apr 17 08:28 33
dr-xr-xr-x. 9 0 0 0 Apr 17 08:28 34
dr-xr-xr-x. 9 0 0 0 Apr 17 08:28 62
dr-xr-xr-x. 9 0 0 0 Apr 17 08:51 72
dr-xr-xr-x. 9 0 0 0 Apr 17 08:51 74
dr-xr-xr-x. 9 0 0 0 Apr 17 08:51 75
dr-xr-xr-x. 9 0 0 0 Apr 17 08:51 79
dr-xr-xr-x. 2 65534 65534 0 Apr 17 08:52 acpi
dr-xr-xr-x. 5 65534 65534 0 Apr 17 08:52 asound
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 buddyinfo
dr-xr-xr-x. 4 65534 65534 0 Apr 17 08:52 bus
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 cgroups
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 cmdline
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 consoles
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 cpuinfo
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 crypto
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 devices
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 diskstats
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 dma
dr-xr-xr-x. 2 65534 65534 0 Apr 17 08:52 driver
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 execdomains
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 fb
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 filesystems
dr-xr-xr-x. 7 65534 65534 0 Apr 17 08:52 fs
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 interrupts
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 iomem
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 ioports
dr-xr-xr-x. 30 65534 65534 0 Apr 17 08:52 irq
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 kallsyms
-r--------. 1 65534 65534 140737477885952 Apr 17 08:52 kcore
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 key-users
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 keys
prw-------. 0 0 0 0 Apr 17 08:28 kmsg
-r--------. 1 65534 65534 0 Apr 17 08:52 kpagecgroup
-r--------. 1 65534 65534 0 Apr 17 08:52 kpagecount
-r--------. 1 65534 65534 0 Apr 17 08:52 kpageflags
-rw-r--r--. 1 65534 65534 0 Apr 17 08:52 latency_stats
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 loadavg
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 locks
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 mdstat
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 meminfo
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 misc
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 modules
lrwxrwxrwx. 1 65534 65534 11 Apr 17 08:52 mounts -> self/mounts
-rw-r--r--. 1 65534 65534 0 Apr 17 08:52 mtrr
lrwxrwxrwx. 1 65534 65534 8 Apr 17 08:52 net -> self/net
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 pagetypeinfo
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 partitions
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 sched_debug
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 schedstat
dr-xr-xr-x. 3 65534 65534 0 Apr 17 08:52 scsi
lrwxrwxrwx. 1 65534 65534 0 Apr 17 08:28 self -> 114
-r--------. 1 65534 65534 0 Apr 17 08:52 slabinfo
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 softirqs
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 stat
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 swaps
dr-xr-xr-x. 1 65534 65534 0 Apr 17 08:28 sys
--w-------. 1 65534 65534 0 Apr 17 08:52 sysrq-trigger
dr-xr-xr-x. 2 65534 65534 0 Apr 17 08:52 sysvipc
lrwxrwxrwx. 1 65534 65534 0 Apr 17 08:28 thread-self -> 114/task/114
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 timer_list
-rw-r--r--. 1 65534 65534 0 Apr 17 08:52 timer_stats
dr-xr-xr-x. 4 65534 65534 0 Apr 17 08:52 tty
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 uptime
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 version
-r--------. 1 65534 65534 0 Apr 17 08:52 vmallocinfo
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 vmstat
-r--r--r--. 1 65534 65534 0 Apr 17 08:52 zoneinfo
-bash-4.3# ls -n /sys
total 0
drwxr-xr-x. 2 65534 65534 0 Apr 17 08:53 block
drwxr-xr-x. 31 65534 65534 0 Apr 17 08:28 bus
drwxr-xr-x. 53 65534 65534 0 Apr 17 08:53 class
drwxr-xr-x. 4 65534 65534 0 Apr 17 08:53 dev
drwxr-xr-x. 21 65534 65534 0 Apr 17 08:28 devices
drwxr-xr-x. 5 65534 65534 100 Apr 17 08:28 fs
drwxr-xr-x. 10 65534 65534 0 Apr 17 08:53 kernel
-bash-4.3# mount
/dev/mapper/fedora-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
tmpfs on /sys type tmpfs (ro,nosuid,nodev,noexec,relatime,seclabel,mode=755,uid=10000,gid=10000)
selinuxfs on /sys/fs/selinux type selinuxfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755,uid=10000,gid=10000)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (ro,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
tmpfs on /dev type tmpfs (rw,nosuid,seclabel,mode=755,uid=10000,gid=10000)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,uid=10000,gid=10000)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=10005,mode=620,ptmxmode=666)
devpts on /dev/console type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755,uid=10000,gid=10000)
tmpfs on /run/systemd/nspawn/incoming type tmpfs (ro,seclabel,mode=755)
tmpfs on /tmp type tmpfs (rw,seclabel,uid=10000,gid=10000)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
sysfs on /sys/block type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys/bus type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys/class type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys/dev type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys/devices type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys/kernel type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
cgroup on /sys/fs/cgroup/systemd/machine.slice/[email protected] type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
tmpfs on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,seclabel,mode=755,uid=10000,gid=10000)
tmpfs on /proc/kmsg type tmpfs (rw,nosuid,nodev,seclabel,mode=755,uid=10000,gid=10000)
mqueue on /dev/mqueue type mqueue (rw,nodev,relatime,seclabel)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=395664k,mode=700,uid=10000,gid=10000)
In case of bug report: Steps to reproduce the problem
$ setenforce 0
$ dnf -y --releasever=24 --installroot=/var/lib/machines/ipa43b --disablerepo='*' --enablerepo=fedora --enablerepo=updates --enablerepo=updates-testing install systemd passwd dnf fedora-release firewalld iproute
$ uidmapshift -b /path/to/directory 0 10000 500
$ /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --settings=override --machine=ipa43b --network-macvlan=enp2s0 --private-users=10000