Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

Wed, 10 Feb 2016 10:42:12 -0800 

On Wed, 10.02.16 10:22, Ranjib Dey ([email protected]) wrote:

> Docker(ls -alh)
> 
> crw-------  1 root root 136,   9 Feb 10 18:20 console
> lrwxrwxrwx  1 root root       13 Feb 10 18:20 fd -> /proc/self/fd
> crw-rw-rw-  1 root root   1,   7 Feb 10 18:20 full
> c---------  1 root root  10, 229 Feb 10 18:20 fuse
> lrwxrwxrwx  1 root root       11 Feb 10 18:20 kcore -> /proc/kcore
> drwxrwxrwt  2 root root       40 Oct 30 08:01 mqueue
> crw-rw-rw-  1 root root   1,   3 Feb 10 18:20 null
> lrwxrwxrwx  1 root root        8 Feb 10 18:20 ptmx -> pts/ptmx
> drwxr-xr-x  2 root root        0 Feb 10 18:20 pts
> crw-rw-rw-  1 root root   1,   8 Feb 10 18:20 random
> drwxrwxrwt  2 root root       40 Feb 10 18:20 shm
> lrwxrwxrwx  1 root root       15 Feb 10 18:20 stderr -> /proc/self/fd/2
> lrwxrwxrwx  1 root root       15 Feb 10 18:20 stdin -> /proc/self/fd/0
> lrwxrwxrwx  1 root root       15 Feb 10 18:20 stdout -> /proc/self/fd/1
> crw-rw-rw-  1 root root   5,   0 Feb 10 18:20 tty
> crw-rw-rw-  1 root root   1,   9 Feb 10 18:20 urandom
> crw-rw-rw-  1 root root   1,   5 Feb 10 18:20 zero

This looks pretty OK actually. With this setup (i.e. where /dev/tty0
does not exist) it seems entirely unnnecessary to mask the getty
services or anything, as they contain a  condition (as mentioned) that
skips them if this device node does not exist.

> LXC (ls -alh /dev)
> crw-rw----  1 root   tty     136, 18 Feb 10 07:15 console
> lrwxrwxrwx  1 root   root         11 Feb 10 07:15 core -> /proc/kcore
> lrwxrwxrwx  1 root   root         13 Feb 10 07:15 fd -> /proc/self/fd
> crw-rw-rw-  1 nobody nogroup   1,  7 Feb  9 08:32 full
> srw-rw-rw-  1 root   root          0 Feb 10 07:15 log
> drwxrwxrwt  2 nobody nogroup      40 Feb 10 07:15 mqueue
> drwxr-xr-x  2 root   root         40 Feb 10 07:15 net
> crw-rw-rw-  1 nobody nogroup   1,  3 Feb  9 08:32 null
> lrwxrwxrwx  1 root   root         13 Feb 10 07:15 ptmx -> /dev/pts/ptmx
> drwxr-xr-x  2 nobody nogroup       0 Feb 10 07:15 pts
> lrwxrwxrwx  1 root   root          4 Feb 10 07:15 ram -> ram1
> crw-rw-rw-  1 nobody nogroup   1,  8 Feb  9 08:32 random
> lrwxrwxrwx  1 root   root          8 Feb 10 07:15 shm -> /run/shm

this looks wrong...

> lrwxrwxrwx  1 root   root          4 Feb 10 07:15 stderr -> fd/2
> lrwxrwxrwx  1 root   root          4 Feb 10 07:15 stdin -> fd/0
> lrwxrwxrwx  1 root   root          4 Feb 10 07:15 stdout -> fd/1
> crw-rw-rw-  1 nobody nogroup   5,  0 Feb 10 18:17 tty
> crw-rw----  1 root   tty     136,  0 Feb 10 07:15 tty1
> crw-rw----  1 root   tty     136,  1 Feb 10 07:15 tty2
> crw-rw----  1 root   tty     136,  2 Feb 10 07:15 tty3
> crw-rw----  1 root   tty     136,  3 Feb 10 07:15 tty4

Urks. This looks super wrong. A container has no VC subsystem, and
these devices really shouldn't exist there. /dev/tty1, /dev/tty2 and
so on are the interface to the Linux kernel VC subsystem, and nothing else.

> drwxr-xr-x  3 root   root         60 Feb 10 07:15 .udev

Wut? where does this come from? the last time udev used that directory
was 4 years ago or so...

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to