On Mi, 20.09.17 13:13, arnaud gaboury ([email protected]) wrote: > For some reasons (custom kernel with user namespace activated) my > container filesystem owners and permissions has lots of errors. In > short, some files/folders belong to nobody/nobody when in fact they > should be owned by root:root.
This is the result of user namespacing, and reflects the fact that these files in /proc are owned by the host's root, which is not available in the container, and ensure that the container doesn't get access to files in /proc that are unsafe to access from untrusted containers. if you invoke nspawn without --private-users= on the command line you can turn this off, but in that case the user tables between the host and the container are shared and thus things are a lot less secure. > But i have a problem when it comes to upgrade (container is Fedora, host > Arch) some packages, filesystem being one of them. To upgrade, the > system needs access to /proc/filesystems which is unfortunately owned by > nobody:nobody and can't be changed from host. And the proc folder is > empty for the host, so I can't chwon from host. Hmm, read access should genreally be available to /proc/filesystems. Are you saying that the container can't even read that file? > How can I access (if I can) container /proc from host? > > In general, to solve this annoying owner issue in container > (nobody:nobody), I was thinking making root part of the nobody group. I > know this is a hack, but is there any troubles down the road in doing this? Let's just say that the user namespacing logic on Linux isn't really ready for the prime-time yet... (neither in the Linux kernel and in nspawn). Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
