[pkg-lxc-devel] Bug#987293: lxc: unprivileged containers don't have permission to access their configuration files
Celejar
celejar at gmail.com
Tue Apr 20 23:27:28 BST 2021
Package: lxc
Version: 1:4.0.6-1
Severity: normal
The default location for the configuration files of unprivileged
containers created by non-root users seems to be $HOME/.local/share, but
such containers will fail to start, since they don't have permission to
access that directory, since it isn't world accessible.
On this Sid system, $HOME and $HOME/.local are 755, but
$HOME/.local/share is 700. On a Buster system of mine, $HOME is 755, but
the other two are only 700. On both these systems, starting unprivileged
containers fails with something like:
lxc-start: my-container: start.c: print_top_failing_dir: 125 Permission denied - Could not access /home/username/.local/share. Please grant it x access, or add an ACL for the container root
lxc-start: my-container: sync.c: __sync_wait: 62 An error occurred in another process (expected sequence number 3)
lxc-start: my-container: start.c: __lxc_start: 1951 Failed to spawn container "my-container"
lxc-start: my-container: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: my-container: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
The solution is obviously to grant the appropriate permissions, but I
think this should be handled automatically by the system, or at the very
least, documentation should be added explaining the issue, instead of
requiring users to figure this out on their own.
Here's a suggestion for a paragraph to be added to the "Unprivileged
containers" section of README.Debian:
*****
Unprivileged containers started by non-root users store their
configuration in ~/.local/share, and so must have permission to
access that directory. This can be granted via a command like (assuming
the acl package is installed):
setfacl --modify user:nnnnnnnn:x . .local .local/share
where nnnnnnnn is the subuid mapped to 0 in
~/.config/lxc/default.conf
*****
-- System Information:
Debian Release: 11.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lxc depends on:
ii bridge-utils 1.7-1
ii debconf [debconf-2.0] 1.5.76
ii dnsmasq-base [dnsmasq-base] 2.85-1
ii iproute2 5.10.0-4
ii iptables 1.8.7-1
ii libc6 2.31-11
ii libcap2 1:2.44-1
ii libgcc-s1 10.2.1-6
ii liblxc1 1:4.0.6-1
ii libseccomp2 2.5.1-1
ii libselinux1 3.1-3
ii lsb-base 11.1.0
Versions of packages lxc recommends:
ii apparmor 2.13.6-10
ii debootstrap 1.0.123
ii dirmngr 2.2.27-1
ii gnupg 2.2.27-1
pn libpam-cgfs <none>
ii lxc-templates 3.0.4-5
pn lxcfs <none>
ii openssl 1.1.1k-1
ii rsync 3.2.3-4
ii uidmap 1:4.8.1-1
ii wget 1.21-1+b1
Versions of packages lxc suggests:
ii btrfs-progs 5.10.1-1
ii lvm2 2.03.11-2.1
pn python3-lxc <none>
-- debconf information:
lxc/auto_update_config:
More information about the Pkg-lxc-devel
mailing list