kernel-packages team mailing list archive

Thread
Date

[Bug 1293549] Re: Filesystem mount from lxc template causes filesystem permission breakages

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Andy Whitcroft <apw@xxxxxxxxxxxxx>
Date: Tue, 18 Mar 2014 09:24:08 -0000
Reply-to: Bug 1293549 <1293549@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

A naieve test of aufs directly shows that chown and chmod do cause a
copy up of the underlying files as expected.

In the read only layer before chmod/chown:

  drwxrwxr-x 2 apw apw 4096 Mar 18 09:16 D1
  drwxrwxr-x 2 apw apw 4096 Mar 18 09:16 D2
  drwxrwxr-x 2 apw apw 4096 Mar 18 09:16 D3

In the mount after:

  drwxrwxr-x 2 sbuild sbuild 4096 Mar 18 09:16 D1
  drwxrwxrwx 2 apw    apw    4096 Mar 18 09:16 D2
  drwxrwxrwx 2 apw    apw    4096 Mar 18 09:16 D3

The underlying permissions remain unchanged after these operations.
This all seems semantically correct.

I need a description of how we are using aufs in these this scenario (in
comment #2), for instance are we modifing the actual underlying files
while mounted which would be a no-no.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1293549

Title:
  Filesystem mount from lxc template causes filesystem permission
  breakages

Status in juju-core:
  In Progress
Status in lxc containers:
  Confirmed
Status in “linux” package in Ubuntu:
  Confirmed
Status in “postgresql” package in Juju Charms Collection:
  New

Bug description:
  In juju-core 1.17.5, creating new lxc machines is now much faster as
  it appears to be using a template machine. In addition, the root
  filesystem is mounted from the template machine.

  Unfortunately, this causes filesystem permissions to screw up.

  juju deploy ubuntu
  juju ssh ubuntu/0
  sudo chown ubuntu:ubuntu /etc/ssl/private
  ls /etc/ssl/private

  That final 'ls' fails with a permission denied. This is possibly a
  security precaution in lxc or the filesystem.

  This issue breaks the postgresql charm. The PostgreSQL packages
  require and use the ssl-cert package, which changes /etc/ssl/private
  to be group readable by the ssl-cert group. The postgres user, a
  member of the ssl-cert group, is unable to read the private key stored
  in this directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/juju-core/+bug/1293549/+subscriptions