grsec 3.13.5 & lxc 1.0.0 user namespace containers
Posted: Wed Feb 26, 2014 3:23 amI am trying to use lxc 1.0.0's new support for user namespaces to run an unprivileged container. It appears that the grsec patch is somehow blocking a syscall to unshare from within a docker lxc container.
This setup works with vanilla 3.13.5 kernel and after switching to grsec kernel it won't run the same container or even generate the rootfs for lxc.
The setup I am running is a little strange, unprivileged lxc container nested within a privileged docker container. (I am nesting the unprivileged lxc container within the docker lxc container to use the lxc provided tools in their .deb that is pre-built for ubuntu 14.04. Running gentoo and don't trust that my patched shadow/pam wasn't causing problems so I did this to remove that from possible issue) As odd as it may be it works fine on vanilla, hopefully this can be done on grsec as well.
error message inside of docker container trying to create the nested lxc rootfs
http://pastebin.com/JaNW8RDh (the WARN: about repoening tty is in both vanilla and grsec kernel)
features disabled in sysctl:
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel config:
http://bpaste.net/show/182840/
uname -r:
3.13.5-grsec
grsecurity patch version:
3.13.5-201402241943
distro:
gentoo-hardened (running kernel.org + grsecurity patch instead of hardened-sources atm)
strace -f for lxc-create that fails above:
http://paste.ubuntu.com/6998427/
Is there something I could change in my configuration to get this working?
If you need I can push my dockerfiles to index.docker.io and provide instructions to recreate the exact situation I am running into.
If there is any other debug information I could provide that would be helpful just let me know
Thanks all the hard work on a great kernel patch set! Hopefully this is just something simple I'm not seeing.
Andy
This setup works with vanilla 3.13.5 kernel and after switching to grsec kernel it won't run the same container or even generate the rootfs for lxc.
The setup I am running is a little strange, unprivileged lxc container nested within a privileged docker container. (I am nesting the unprivileged lxc container within the docker lxc container to use the lxc provided tools in their .deb that is pre-built for ubuntu 14.04. Running gentoo and don't trust that my patched shadow/pam wasn't causing problems so I did this to remove that from possible issue) As odd as it may be it works fine on vanilla, hopefully this can be done on grsec as well.
error message inside of docker container trying to create the nested lxc rootfs
http://pastebin.com/JaNW8RDh (the WARN: about repoening tty is in both vanilla and grsec kernel)
features disabled in sysctl:
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel config:
http://bpaste.net/show/182840/
uname -r:
3.13.5-grsec
grsecurity patch version:
3.13.5-201402241943
distro:
gentoo-hardened (running kernel.org + grsecurity patch instead of hardened-sources atm)
strace -f for lxc-create that fails above:
http://paste.ubuntu.com/6998427/
Is there something I could change in my configuration to get this working?
If you need I can push my dockerfiles to index.docker.io and provide instructions to recreate the exact situation I am running into.
If there is any other debug information I could provide that would be helpful just let me know
Thanks all the hard work on a great kernel patch set! Hopefully this is just something simple I'm not seeing.
Andy
