touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #107977
[Bug 1501959] [NEW] "System error" on chfn / su with lxc-start --share-net
Public bug reported:
When running `lxc-start --share net 1` on a trusty host with a trusty
container, chfn / su (and presumably other utilities which use PAM)
fail.
Test case:
lxc-create -t ubuntu -n test1
cat >/var/lib/lxc/test1/rootfs/config <<EOM
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.rootfs = /var/lib/lxc/test1/rootfs
lxc.mount = /var/lib/lxc/test1/fstab
lxc.utsname = test1
lxc.arch = amd64
EOM
lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root
lxc-start -n test1 -F --share-net 1 -- su -
Output:
# lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root
chfn: PAM: System error
lxc-start: lxc_start.c: main: 342 The container failed to start.
lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.
# lxc-start -n test1 -F --share-net 1 -- su -
su: System error
lxc-start: lxc_start.c: main: 342 The container failed to start.
lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.
Issues in Docker e.g. https://github.com/docker/docker/issues/6345
suggest it's because the AUDIT_WRITE capability is not being set, but it
doesn't seem to be the case here as LXC by default is doing subtractive
caps:
# lxc-info --name test1 -c lxc.cap.keep -c lxc.cap.drop
lxc.cap.keep =
lxc.cap.drop = sys_module
mac_admin
mac_override
sys_time
This issue also appears to have been found in LP: #1430891, but was
worked around rather than addressed.
Running without --share-net doesn't exhibit this problem.
** Affects: lxc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1501959
Title:
"System error" on chfn / su with lxc-start --share-net
Status in lxc package in Ubuntu:
New
Bug description:
When running `lxc-start --share net 1` on a trusty host with a trusty
container, chfn / su (and presumably other utilities which use PAM)
fail.
Test case:
lxc-create -t ubuntu -n test1
cat >/var/lib/lxc/test1/rootfs/config <<EOM
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.rootfs = /var/lib/lxc/test1/rootfs
lxc.mount = /var/lib/lxc/test1/fstab
lxc.utsname = test1
lxc.arch = amd64
EOM
lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root
lxc-start -n test1 -F --share-net 1 -- su -
Output:
# lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root
chfn: PAM: System error
lxc-start: lxc_start.c: main: 342 The container failed to start.
lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.
# lxc-start -n test1 -F --share-net 1 -- su -
su: System error
lxc-start: lxc_start.c: main: 342 The container failed to start.
lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.
Issues in Docker e.g. https://github.com/docker/docker/issues/6345
suggest it's because the AUDIT_WRITE capability is not being set, but
it doesn't seem to be the case here as LXC by default is doing
subtractive caps:
# lxc-info --name test1 -c lxc.cap.keep -c lxc.cap.drop
lxc.cap.keep =
lxc.cap.drop = sys_module
mac_admin
mac_override
sys_time
This issue also appears to have been found in LP: #1430891, but was
worked around rather than addressed.
Running without --share-net doesn't exhibit this problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1501959/+subscriptions
Follow ups
