← Back to team overview

kernel-packages team mailing list archive

[Bug 1293549] Re: Filesystem mount from lxc template causes filesystem permission breakages


Ok a more refined reproducer shows that this is an issue triggered by
different permissions on the various layers.  Although the directory is
reported correctly the permissions for each layer are used on that layer
to control who can actually see the contents of the directory.  If you
cannot rx the lower levels you cannot read the directory at all.  This
is a deliberate design decision.

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  Filesystem mount from lxc template causes filesystem permission

Status in juju-core:
  In Progress
Status in lxc containers:
Status in “linux” package in Ubuntu:
Status in “postgresql” package in Juju Charms Collection:

Bug description:
  In juju-core 1.17.5, creating new lxc machines is now much faster as
  it appears to be using a template machine. In addition, the root
  filesystem is mounted from the template machine.

  Unfortunately, this causes filesystem permissions to screw up.

  juju deploy ubuntu
  juju ssh ubuntu/0
  sudo chown ubuntu:ubuntu /etc/ssl/private
  ls /etc/ssl/private

  That final 'ls' fails with a permission denied. This is possibly a
  security precaution in lxc or the filesystem.

  This issue breaks the postgresql charm. The PostgreSQL packages
  require and use the ssl-cert package, which changes /etc/ssl/private
  to be group readable by the ssl-cert group. The postgres user, a
  member of the ssl-cert group, is unable to read the private key stored
  in this directory.

To manage notifications about this bug go to: