Bug#989750: unblock: lxc/1:4.0.6-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package lxc
LXC 4.0.6-1 suffers from many issues that, in my opinion require an
update before the release of Bullseye to make our users more comfortable
using it.
1. Running unprivileged containers until LXC4 was as simple as running
the same LXC commands as a non-root user or as root but with
containers config mapping subuids/subgids. Since systemd migrated to
pure CGroupv2 hierarchy, there is a need for either a systemd
service, or a call to systemd-run as a user. This makes the whole
less simple to use and understand for a user.
I included two scripts to wrap these systemd-run calls and make the
whole more usable. I linked their manpages to lxc-start and
lxc-attach as the arguments are passed to these commands.
2. Consequentially, I wrote some more documentation in d/NEWS and
d/README.Debian to help our users understanding how to work with
unprivileged containers as soon as they will dist-upgrade.
3. Historically, a lxc container had its /proc/sys/net writeable by
root when /proc was mounted with the "mixed" option in LXC
configuration. Upstream broke that and fixed it recently in a commit
in GitHub
https://github.com/lxc/lxc/commit/563ec46266b8967f0ee60e0032bbe66b3b37207c
I imported that patch as not having /proc/sys/net writeable will
break things for our users.
4. In lxc-net configuration, we added a comment to allow users to honor
systemd's dnsmasq more easily if needed. As it's a comment, it has
no impact.
Almost all these changes are in debian/ directory and present no risk
for LXC to dysfunction at all. There is just the patch mentioned in 3
which is imported from upstream, and which changes the code. It has been
tested upstream and the code alteration is minimal.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
If you need any more intel, please do poke me!
I have not yet uploaded the changes to unstable, as I prefer waiting for
your feedback.
Thanks!
unblock lxc/1:4.0.6-2
diff -Nru lxc-4.0.6/debian/changelog lxc-4.0.6/debian/changelog
--- lxc-4.0.6/debian/changelog 2021-01-31 18:29:40.000000000 +0100
+++ lxc-4.0.6/debian/changelog 2021-06-11 21:43:41.000000000 +0200
@@ -1,3 +1,18 @@
+lxc (1:4.0.6-2) unstable; urgency=medium
+
+ * d/contrib/lxc-net: Add a commented dnsmasq reference for the users to be
+ able to use this configuration if needed.
+ * d/contrib/bin/lxc-unpriv-{start,attach} helper scripts to make
+ unprivileged containers easier to start manually
+ * d/README.Debian: Added some intel about how to handle properly
+ unprivileged containers and systemd user sessions, and potential
+ filesystem ACL issues/implications
+ (Closes: #989317, 987293)
+ * d/p/0007: Makes the containers able to have /proc/sys/net rw
+ (Closes: #981980)
+
+ -- Pierre-Elliott Bécue <peb@debian.org> Fri, 11 Jun 2021 21:43:41 +0200
+
lxc (1:4.0.6-1) unstable; urgency=medium
* New upstream version 4.0.6
diff -Nru lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach
--- lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach 1970-01-01 01:00:00.000000000 +0100
+++ lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach 2021-06-11 21:25:58.000000000 +0200
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if ! ps ux|grep "[s]ystemd --user" > /dev/null 2>&1; then
+ echo "Can't start an unprivileged container on a pure CGroups v2 host without a systemd user session running."
+ echo "If you are trying to get a non-interactive user to have unprivileged containers running, you need to"
+ echo "enable lingering sessions for that user, via loginctl enable-linger ${USER} as root."
+ exit 1
+fi
+
+export XDG_RUNTIME_DIR="/run/user/$UID"
+export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"
+
+/usr/bin/systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-attach "$@"
diff -Nru lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start
--- lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start 1970-01-01 01:00:00.000000000 +0100
+++ lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start 2021-06-11 21:25:42.000000000 +0200
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if ! ps ux|grep "[s]ystemd --user" > /dev/null 2>&1; then
+ echo "Can't start an unprivileged container on a pure CGroups v2 host without a systemd user session running."
+ echo "If you are trying to get a non-interactive user to have unprivileged containers running, you need to"
+ echo "enable lingering sessions for that user, via loginctl enable-linger ${USER} as root."
+ exit 1
+fi
+
+export XDG_RUNTIME_DIR="/run/user/$UID"
+export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"
+
+/usr/bin/systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-start "$@"
diff -Nru lxc-4.0.6/debian/contrib/lxc-net lxc-4.0.6/debian/contrib/lxc-net
--- lxc-4.0.6/debian/contrib/lxc-net 2021-01-31 18:29:40.000000000 +0100
+++ lxc-4.0.6/debian/contrib/lxc-net 2021-06-11 14:45:58.000000000 +0200
@@ -1 +1,4 @@
USE_LXC_BRIDGE="true"
+
+# Honor system's dnsmasq configuration
+#LXC_DHCP_CONFILE=/etc/dnsmasq.conf
diff -Nru lxc-4.0.6/debian/lxc.install lxc-4.0.6/debian/lxc.install
--- lxc-4.0.6/debian/lxc.install 2021-01-31 18:29:40.000000000 +0100
+++ lxc-4.0.6/debian/lxc.install 2021-06-11 18:09:06.000000000 +0200
@@ -12,5 +12,7 @@
usr/share/man
var
-debian/contrib/default.conf etc/lxc/
-debian/contrib/lxc-net etc/default/
+debian/contrib/default.conf etc/lxc/
+debian/contrib/lxc-net etc/default/
+debian/contrib/bin/lxc-unpriv-start usr/bin/
+debian/contrib/bin/lxc-unpriv-attach usr/bin/
diff -Nru lxc-4.0.6/debian/lxc.links lxc-4.0.6/debian/lxc.links
--- lxc-4.0.6/debian/lxc.links 1970-01-01 01:00:00.000000000 +0100
+++ lxc-4.0.6/debian/lxc.links 2021-06-11 18:09:06.000000000 +0200
@@ -0,0 +1,2 @@
+usr/share/man/man1/lxc-attach.1.gz usr/share/man/man1/lxc-unpriv-attach.1.gz
+usr/share/man/man1/lxc-start.1.gz usr/share/man/man1/lxc-unpriv-start.1.gz
diff -Nru lxc-4.0.6/debian/lxc.postinst lxc-4.0.6/debian/lxc.postinst
--- lxc-4.0.6/debian/lxc.postinst 2021-01-31 18:29:40.000000000 +0100
+++ lxc-4.0.6/debian/lxc.postinst 2021-06-11 14:45:58.000000000 +0200
@@ -17,7 +17,7 @@
if [ -z "$2" ] || dpkg --compare-versions "$2" le "1:3.1.0+really3.0.3-2"; then
if which apparmor_parser > /dev/null && [ -e /etc/apparmor.d/lxc-containers ]; then
apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers || \
- echo "Failed to run 'apparmor_parser -rWT /etc/apparmor.d/lxc-containers'. You will probably need to runn it by hand at some point."
+ echo "Failed to run 'apparmor_parser -rWT /etc/apparmor.d/lxc-containers'. You will probably need to run it by hand at some point."
fi
fi
}
diff -Nru lxc-4.0.6/debian/NEWS lxc-4.0.6/debian/NEWS
--- lxc-4.0.6/debian/NEWS 2021-01-31 18:29:40.000000000 +0100
+++ lxc-4.0.6/debian/NEWS 2021-06-11 21:43:27.000000000 +0200
@@ -1,3 +1,11 @@
+lxc (1:4.0.6-2) unstable; urgency=medium
+
+ * A new way of handling unprivileged containers starting and attachment has
+ been made available through the lxc-unpriv-start and lxc-unpriv-attach
+ commands. See /usr/share/doc/lxc/README.Debian.gz for more details.
+
+ -- Pierre-Elliott Bécue <peb@debian.org> Fri, 11 Jun 2021 15:12:15 +0200
+
lxc (1:4.0.2-1~1) experimental; urgency=medium
Major changes in the Debian packaging:
diff -Nru lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch
--- lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch 1970-01-01 01:00:00.000000000 +0100
+++ lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch 2021-06-11 18:27:18.000000000 +0200
@@ -0,0 +1,88 @@
+From: =?utf-8?q?Pierre-Elliott_B=C3=A9cue?= <peb@debian.org>
+Date: Fri, 11 Jun 2021 18:26:25 +0200
+Subject: conf: fix containers retaining CAP_NET_ADMIN
+
+Historically, /proc/sys/net is rw when proc:mixed is used as a proc
+mount parameter. This was broken somewhere in lxc 4, and this patch
+fixed it.
+---
+ src/lxc/cgroups/cgfsng.c | 2 +-
+ src/lxc/conf.c | 34 +++++++++++++++++-----------------
+ src/lxc/conf.h | 4 ++--
+ 3 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index 303c2f6..acc64a7 100644
+--- a/src/lxc/cgroups/cgfsng.c
++++ b/src/lxc/cgroups/cgfsng.c
+@@ -1831,7 +1831,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
+ }
+
+ if (!wants_force_mount) {
+- wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
++ wants_force_mount = !lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
+
+ /*
+ * Most recent distro versions currently have init system that
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index ae49725..d9217a6 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -620,24 +620,24 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
+ * it's busy... MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for
+ * kernels as low as 2.6.32...
+ */
+- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
+ /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */
+- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL, 1 },
+- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL, 0 },
+- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
+- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL, 1 },
+- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL, 0 },
+- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
+- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, 0 },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, 0 },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL, 0 },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL, 0 },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, 0 },
+- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, 0 },
+- { 0, 0, NULL, NULL, NULL, 0, NULL, 0 }
++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL, true },
++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL, false },
++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL, true },
++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL, false },
++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
++ { 0, 0, NULL, NULL, NULL, 0, NULL, false }
+ };
+
+ bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index 664533b..28b679f 100644
+--- a/src/lxc/conf.h
++++ b/src/lxc/conf.h
+@@ -509,9 +509,9 @@ static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
+ return false;
+
+ if (!lxc_list_empty(&conf->keepcaps))
+- return !in_caplist(cap, &conf->keepcaps);
++ return in_caplist(cap, &conf->keepcaps);
+
+- return in_caplist(cap, &conf->caps);
++ return !in_caplist(cap, &conf->caps);
+ }
+
+ __hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls);
diff -Nru lxc-4.0.6/debian/patches/series lxc-4.0.6/debian/patches/series
--- lxc-4.0.6/debian/patches/series 2021-01-31 18:29:40.000000000 +0100
+++ lxc-4.0.6/debian/patches/series 2021-06-11 18:28:01.000000000 +0200
@@ -1,3 +1,4 @@
0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch
0005-lxc.service-Starts-after-remote-fs.target.patch
0006-lxc.pc.in-removes-DLOG_LIBS-which-is-not-expanded-up.patch
+0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch
diff -Nru lxc-4.0.6/debian/README.Debian lxc-4.0.6/debian/README.Debian
--- lxc-4.0.6/debian/README.Debian 2021-01-31 18:29:40.000000000 +0100
+++ lxc-4.0.6/debian/README.Debian 2021-06-11 18:38:05.000000000 +0200
@@ -61,7 +61,23 @@
In recent systems, that should already be the case. Otherwise, you can add
those entries with `usermod` options --add-subuids and --add-subgids.
-3) Networking configuration
+3) Permissions checking
+
+Make sure that for your user, .local/share/lxc will be accessible (eXecutable
+bit on the directories) by the root subuid associated with your user (in the
+example above, it'd be uid 100000.
+
+There are at least two solutions if it's not. The firstone is a chmod a+x on
+the directories. If you chose this one do mind the security implications. In
+particular, it is recommended in that case to set your container's rootfs with
+mode 770 or 750 so that any external user can't see its content.
+
+An alternative is to use setfacl to just give the access to that uid. As the
+user who will run the unprivileged container, from your home, run
+
+$ setfacl --modify user:100000:x . .local .local/share
+
+4) Networking configuration
The easiest way to setup networking is to use lxc-net, which is enabled by
default for containers started by root. For non-root unprivileged containers,
@@ -69,7 +85,7 @@
# echo myusername veth lxcbr0 10 >> /etc/lxc/lxc-usernet
-4) Default container configuration
+5) Default container configuration
Add the following to ~/.config/lxc/default.conf:
@@ -82,13 +98,13 @@
The lxc.idmap entries must match the id ranges in /etc/subuid and /etc/subgid,
as explained in step 2 above.
-5) Creating containers
+6) Creating containers
non-root users can only use the `download` template. Example:
$ lxc-create -t download -n mycontainer -- -d debian -r bullseye -a amd64
-6) Starting containers
+7) Starting containers
Under the unified groups hierarchy (default in systemd starting with Debian
11/bullseye), a non-root user needs lxc-start to have some additional
@@ -99,11 +115,34 @@
$ systemd-run --scope --quiet --user --property=Delegate=yes \
lxc-start -n mycontainer
-7) Managing containers
+or, lastly, you can use the helper script Debian made available:
+lxc-unpriv-start. It'll care about using the systemd-run command properly and
+also to make sure the required environment variables are set properly.
+
+8) Managing containers
When not logged in on a graphical session, lxc-attach also requires being run
-via systemd-run as lxc-start above. Other common actions, such as lxc-stop and
-lxc-destroy, can be run directly.
+via systemd-run as lxc-start above. Other common actions, such as lxc-console,
+lxc-stop and lxc-destroy, can be run directly.
+
+Debian also made available a lxc-unpriv-attach command to ease the use of
+lxc-attach.
+
+9) Avoiding containers destruction by systemd
+
+When exiting a user session (closing ssh or a tty), the remaining processes
+running in background die, including the containers. The solution to avoid such
+an issue is to either have the unprivileged containers running as a user
+service, or to enable session lingering via loginctl.
+
+As a user, if policykit-1 is installed, it's just a call to `loginctl
+enable-linger`
+
+If policykit-1 can't be installed, then one must be root and do a `sudo
+loginctl enable-linger {username}`.
+
+Containers started via systemd-run won't get killed.
-- Evgeni Golov <evgeni@debian.org> Sat, 16 Jul 2016 11:49:16 +0200
-- Antonio Terceiro <terceiro@debian.org> Sat, 30 Jan 2021 10:02:37 -0300
+ -- Pierre-Elliott Bécue <peb@debian.org> Fri, 11 Jun 2021 15:08:30 +0200
Reply to: