[pkg-lxc-devel] Bug#857295: Bug#857295: Bug#857295: Info received ([oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership)

Evgeni Golov evgeni at debian.org
Sun Mar 26 10:17:54 UTC 2017


Hi Stiepan,

On Fri, Mar 24, 2017 at 10:51:24AM -0400, Stiepan wrote:

> Using a bridge set up with libvirt (as in http://wiki.libvirt.org/page/Networking#NAT_forwarding_.28aka_.22virtual_networks.22.29) doesn't work.

Is that what the libvirt package does on Debian out-of-the-box?
If so it works just fine for me on my laptop where I put the containers on the vibr0 created by libvirt.

> Neither does using a bridge set up as indicated in https://wiki.debian.org/LXC/SimpleBridge#Using_lxc-net (causes the same errors as with libvirt).

So I just fired a fresh jessie+backports Vagrant box and it worked fine (incl network in the container):

$ vagrant init debian/jessie64
$ vagrant up
$ vagrant ssh

vagrant at jessie:~$ sudo nano /etc/apt/sources.list
deb http://httpredir.debian.org/debian jessie-backports main

vagrant at jessie:~$ sudo apt update

vagrant at jessie:~$ sudo apt install lxc/jessie-backports lxcfs

vagrant at jessie:~$ sudo nano /etc/default/lxc-net
USE_LXC_BRIDGE="true"

vagrant at jessie:~$ systemctl enable lxc-net
vagrant at jessie:~$ systemctl restart lxc-net

vagrant at jessie:~$ ip a s dev lxcbr0
3: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.1/24 scope global lxcbr0
       valid_lft forever preferred_lft forever

vagrant at jessie:~$ sudo sysctl -w kernel.unprivileged_userns_clone=1

vagrant at jessie:~$ exit # needed to trigger lxcfs' PAM module

$vagrant ssh

vagrant at jessie:~$ cat /proc/self/cgroup 
8:perf_event:/
7:blkio:/
6:net_cls,net_prio:/
5:freezer:/user/vagrant/0
4:devices:/
3:cpu,cpuacct:/
2:cpuset:/
1:name=systemd:/user/vagrant/0

vagrant at jessie:~$ mkdir ~/.config/lxc/ -p

vagrant at jessie:~$ nano ~/.config/lxc/default.conf 
xc.include = /etc/lxc/default.conf
lxc.id_map = u 0 624288 65536
lxc.id_map = g 0 624288 65536

vagrant at jessie:~$ sudo nano /etc/lxc/lxc-usernet
vagrant veth lxcbr0 10

vagrant at jessie:~$ lxc-create -n jessie -t download -- -d debian -r jessie -a amd64

vagrant at jessie:~$ nano .local/share/lxc/jessie/config 
lxc.network.type=veth 
lxc.network.flags=up 
lxc.network.link=lxcbr0 

vagrant at jessie:~$ lxc-start -n jessie
vagrant at jessie:~$ lxc-ls -f
NAME   STATE   AUTOSTART GROUPS IPV4 IPV6 
jessie RUNNING 0         -      -    -    


> Using a classical / "plain old" / you-name-it bridge, set up as in http://wiki.libvirt.org/page/Networking#Altering_the_interface_config, does work.

I don't see any technical difference between the plain br0 setup with this link and the ones created by lxc-net or libvirt.
Can you point them out please?

> By the way, the lxc_delete_network:3028... additional error I was seeing pops up only when /etc/lxc/lxc-usernet is still set to use br0, whilst the LXC container is 
> set to use virbr0 and hence can be ignored, sorry about that. When properly configured (i.e. when both are configured to use virbr0, or lxcbr0), container startup 
> simply fails with a "Failed to create the configured network" error, but still fails, whereas when using classical br0, it works.

Can you please provide the steps how to setup your setup from a plain jessie or stretch image?

> So, if your bridge is set up as suggested in https://wiki.debian.org/BridgeNetworkConnections' Manual bridge setup section, using either brctl or 
> /etc/network/interfaces (for a persistent config), we have the same configuration and it works, which is fine. Still, I thought that LXC enabled using lxcbr0 bridges 
> in user mode, as lxc-user-nic's man page suggests is possible. Can you confirm whether this is the case with the current version?

lxc-user-nic is to attach a user-namespace-nic to an existing bridge, you can't create a bridge with it.



More information about the Pkg-lxc-devel mailing list