I am trying to use lxc 1.0.0's new support for user namespaces to run an unprivileged container. It appears that the grsec patch is somehow blocking a syscall to unshare from within a docker lxc container.
This setup works with vanilla 3.13.5 kernel and after switching to grsec kernel it won't run the same container or even generate the rootfs for lxc.
The setup I am running is a little strange, unprivileged lxc container nested within a privileged docker container. (I am nesting the unprivileged lxc container within the docker lxc container to use the lxc provided tools in their .deb that is pre-built for ubuntu 14.04. Running gentoo and don't trust that my patched shadow/pam wasn't causing problems so I did this to remove that from possible issue) As odd as it may be it works fine on vanilla, hopefully this can be done on grsec as well.
error message inside of docker container trying to create the nested lxc rootfs
http://pastebin.com/JaNW8RDh (the WARN: about repoening tty is in both vanilla and grsec kernel)
features disabled in sysctl:
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel config:
http://bpaste.net/show/182840/
uname -r:
3.13.5-grsec
grsecurity patch version:
3.13.5-201402241943
distro:
gentoo-hardened (running kernel.org + grsecurity patch instead of hardened-sources atm)
strace -f for lxc-create that fails above:
http://paste.ubuntu.com/6998427/
Is there something I could change in my configuration to get this working?
If you need I can push my dockerfiles to index.docker.io and provide instructions to recreate the exact situation I am running into.
If there is any other debug information I could provide that would be helpful just let me know
Thanks all the hard work on a great kernel patch set! Hopefully this is just something simple I'm not seeing.
Andy
grsec 3.13.5 & lxc 1.0.0 user namespace containers
3 posts
• Page 1 of 1
grsec 3.13.5 & lxc 1.0.0 user namespace containers
by andyj » Wed Feb 26, 2014 3:23 am
- andyj
- Posts: 8
- Joined: Wed Feb 26, 2014 2:44 am
Re: grsec 3.13.5 & lxc 1.0.0 user namespace containers
by spender » Wed Feb 26, 2014 8:23 am
Hi,
grsecurity disallows unprivileged use of user namespaces. If you want to use them despite numerous vulnerabilities they've introduced to date, remove the patch from kernel/user_namespace.c:create_user_ns() at your own risk.
-Brad
grsecurity disallows unprivileged use of user namespaces. If you want to use them despite numerous vulnerabilities they've introduced to date, remove the patch from kernel/user_namespace.c:create_user_ns() at your own risk.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: grsec 3.13.5 & lxc 1.0.0 user namespace containers
by andyj » Wed Feb 26, 2014 3:10 pm
I defer to your better judgement. 
Maybe I'll try user namespace containers again when lxc fixes support for launching unprivileged containers from root. (looks like lxc 1.0.1, http://article.gmane.org/gmane.linux.ke ... devel/7207)
Andy
Maybe I'll try user namespace containers again when lxc fixes support for launching unprivileged containers from root. (looks like lxc 1.0.1, http://article.gmane.org/gmane.linux.ke ... devel/7207)
Andy
- andyj
- Posts: 8
- Joined: Wed Feb 26, 2014 2:44 am
3 posts
• Page 1 of 1