[Touch-packages] [Bug 1680330] Re: lxc-execute can run commands in current namespace

Thu, 06 Apr 2017 03:31:26 -0700 

This is expected. lxc-execute allows you to run commands without a
rootfs. Other isolation mechanisms are still available. Say, you have
sub{u,g}ids defined and you want to run a shell in a set of new
namespaces including user namespaces you can do:

sudo lxc-execute -n ns1 -l debug -o AAA -s "lxc.id_map = u 0 165536
65536" -s "lxc.id_map = g 0 165536 65536" -- bash

Which in the hosts process tree shows up as:

root     21209  0.0  0.0  56916  3840 pts/14   S+   12:22   0:00          \_ 
sudo lxc-execute -n ns1 -s lxc.id_map = u 0 165536 65536 -s lxc.id_map = g 0 
165536 65536 --
bash
root     21210  0.0  0.0  46264  4552 pts/14   S+   12:22   0:00              
\_ lxc-execute -n ns1 -s lxc.id_map = u 0 165536 65536 -s lxc.id_map = g 0 
165536 65536 -- bash
165536   21212  0.0  0.0  46140  4192 ?        Ss   12:22   0:00                
  \_ /usr/sbin/init.lxc --name ns1 --lxcpath /var/lib/lxc --logpriority ERROR 
-- bash
165536   21246  0.0  0.0  18348  3236 ?        S    12:22   0:00                
      \_ bash

And as you can see the {u,g}ids are mapped. And looking at the log I
appended you can see that other isolation mechanisms are still in place.
So not a bug.

** Attachment added: "AAA"
   
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1680330/+attachment/4856068/+files/AAA

** Changed in: lxc (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1680330

Title:
  lxc-execute can run commands in current namespace

Status in lxc package in Ubuntu:
  Invalid

Bug description:
  If lxc-execute is passed a non-existent container name, then the
  command given is run in the current namespace.

  I believe it should failed with a "container not found" error, as
  otherwise it can lead to unexpected consequences in the host
  environment.

  example:

  # lxc-ls
  files   foreman ns01    proxy
  ## Example typo on the -n option
  # lxc-execute -n ns1 -- touch /tmp/ns01
  # ls -l /tmp/ns01
  -rw-r--r-- 1 root root 0 Apr  6 16:07 /tmp/ns01
  ## Command ran outside of container!

  # cat /etc/lsb-release
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=16.10
  DISTRIB_CODENAME=yakkety
  DISTRIB_DESCRIPTION="Ubuntu 16.10"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1680330/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to