touch-packages team mailing list archive

Thread
Date

[Bug 1253669] Re: unable to launch lxc application containers when dropping cap_sysadmin

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Stéphane Graber <stgraber@xxxxxxxxxxxx>
Date: Mon, 09 Nov 2015 23:41:15 -0000
Reply-to: Bug 1253669 <1253669@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: lxc (Ubuntu Precise)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1253669

Title:
  unable to launch lxc application containers when dropping cap_sysadmin

Status in lxc package in Ubuntu:
  Fix Released
Status in lxc source package in Precise:
  Won't Fix
Status in lxc source package in Quantal:
  Won't Fix
Status in lxc source package in Raring:
  Won't Fix
Status in lxc source package in Saucy:
  Won't Fix

Bug description:
  ========================================
  SRU Justification
  1. Impact: cannot lxc-execute a container without cap_sys_admin
  2. Development fix: don't fail if lxc-init cannot mount /proc
  3. Stable fix: same as development fix.
  4. Test case:
     sudo lxc-create -t ubuntu-cloud -n c1
     sudo lxc-start -n c1
         (log in)
               sudo apt-get -y install --no-install-recommends lxc
               sudo poweroff
     sudo lxc-execcute -n c1 -s lxc.cap.drop=sys_admin /bin/bash
  5. Regression potential: none
  ========================================

  Using the 0.8.0~rc1 lxc release, it was possible to start an
  application container with the lxc.cap.drop=sys_admin option (# lxc-
  execute -n foo -s lxc.cap.drop=sys_admin -- /bin/bash). Since the new
  1.0.0~alpha1 release, this is not possible anymore; the application
  immediately crashes upon being called by lxc-init, thus killing the
  container. When any other capability (or combination of capabilities)
  is dropped, the container still starts up however, only dropping
  cap_sys_admin results in an error.

  I've attached the debug output of # lxc-execute -o foo -l DEBUG -n foo
  -s lxc.cap.drop=sys_admin -- /bin/bash for reference.

  Release: 12.04.3 with HWE, Kernel 3.8.0-32-generic #47~precise1-Ubuntu SMP Wed Oct 2 16:19:35 UTC 2013 x86_64
  LXC version: 1.0.0~alpha1-0ubuntu13~ubuntu12.04.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669/+subscriptions