On 2021-06-11 21:55:59 +0200, Pierre-Elliott Bécue wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package lxc
>
> LXC 4.0.6-1 suffers from many issues that, in my opinion require an
> update before the release of Bullseye to make our users more comfortable
> using it.
>
> 1. Running unprivileged containers until LXC4 was as simple as running
> the same LXC commands as a non-root user or as root but with
> containers config mapping subuids/subgids. Since systemd migrated to
> pure CGroupv2 hierarchy, there is a need for either a systemd
> service, or a call to systemd-run as a user. This makes the whole
> less simple to use and understand for a user.
>
> I included two scripts to wrap these systemd-run calls and make the
> whole more usable. I linked their manpages to lxc-start and
> lxc-attach as the arguments are passed to these commands.
> 2. Consequentially, I wrote some more documentation in d/NEWS and
> d/README.Debian to help our users understanding how to work with
> unprivileged containers as soon as they will dist-upgrade.
> 3. Historically, a lxc container had its /proc/sys/net writeable by
> root when /proc was mounted with the "mixed" option in LXC
> configuration. Upstream broke that and fixed it recently in a commit
> in GitHub
> https://github.com/lxc/lxc/commit/563ec46266b8967f0ee60e0032bbe66b3b37207c
> I imported that patch as not having /proc/sys/net writeable will
> break things for our users.
> 4. In lxc-net configuration, we added a comment to allow users to honor
> systemd's dnsmasq more easily if needed. As it's a comment, it has
> no impact.
>
> Almost all these changes are in debian/ directory and present no risk
> for LXC to dysfunction at all. There is just the patch mentioned in 3
> which is imported from upstream, and which changes the code. It has been
> tested upstream and the code alteration is minimal.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> If you need any more intel, please do poke me!
>
> I have not yet uploaded the changes to unstable, as I prefer waiting for
> your feedback.
ACK, please go ahead and remove the moreinfo tag once the package is
available in unstable.
Cheers
>
> Thanks!
>
> unblock lxc/1:4.0.6-2
> diff -Nru lxc-4.0.6/debian/changelog lxc-4.0.6/debian/changelog
> --- lxc-4.0.6/debian/changelog 2021-01-31 18:29:40.000000000 +0100
> +++ lxc-4.0.6/debian/changelog 2021-06-11 21:43:41.000000000 +0200
> @@ -1,3 +1,18 @@
> +lxc (1:4.0.6-2) unstable; urgency=medium
> +
> + * d/contrib/lxc-net: Add a commented dnsmasq reference for the users to be
> + able to use this configuration if needed.
> + * d/contrib/bin/lxc-unpriv-{start,attach} helper scripts to make
> + unprivileged containers easier to start manually
> + * d/README.Debian: Added some intel about how to handle properly
> + unprivileged containers and systemd user sessions, and potential
> + filesystem ACL issues/implications
> + (Closes: #989317, 987293)
> + * d/p/0007: Makes the containers able to have /proc/sys/net rw
> + (Closes: #981980)
> +
> + -- Pierre-Elliott Bécue <peb@debian.org> Fri, 11 Jun 2021 21:43:41 +0200
> +
> lxc (1:4.0.6-1) unstable; urgency=medium
>
> * New upstream version 4.0.6
> diff -Nru lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach
> --- lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach 1970-01-01 01:00:00.000000000 +0100
> +++ lxc-4.0.6/debian/contrib/bin/lxc-unpriv-attach 2021-06-11 21:25:58.000000000 +0200
> @@ -0,0 +1,13 @@
> +#!/bin/bash
> +
> +if ! ps ux|grep "[s]ystemd --user" > /dev/null 2>&1; then
> + echo "Can't start an unprivileged container on a pure CGroups v2 host without a systemd user session running."
> + echo "If you are trying to get a non-interactive user to have unprivileged containers running, you need to"
> + echo "enable lingering sessions for that user, via loginctl enable-linger ${USER} as root."
> + exit 1
> +fi
> +
> +export XDG_RUNTIME_DIR="/run/user/$UID"
> +export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"
> +
> +/usr/bin/systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-attach "$@"
> diff -Nru lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start
> --- lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start 1970-01-01 01:00:00.000000000 +0100
> +++ lxc-4.0.6/debian/contrib/bin/lxc-unpriv-start 2021-06-11 21:25:42.000000000 +0200
> @@ -0,0 +1,13 @@
> +#!/bin/bash
> +
> +if ! ps ux|grep "[s]ystemd --user" > /dev/null 2>&1; then
> + echo "Can't start an unprivileged container on a pure CGroups v2 host without a systemd user session running."
> + echo "If you are trying to get a non-interactive user to have unprivileged containers running, you need to"
> + echo "enable lingering sessions for that user, via loginctl enable-linger ${USER} as root."
> + exit 1
> +fi
> +
> +export XDG_RUNTIME_DIR="/run/user/$UID"
> +export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"
> +
> +/usr/bin/systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-start "$@"
> diff -Nru lxc-4.0.6/debian/contrib/lxc-net lxc-4.0.6/debian/contrib/lxc-net
> --- lxc-4.0.6/debian/contrib/lxc-net 2021-01-31 18:29:40.000000000 +0100
> +++ lxc-4.0.6/debian/contrib/lxc-net 2021-06-11 14:45:58.000000000 +0200
> @@ -1 +1,4 @@
> USE_LXC_BRIDGE="true"
> +
> +# Honor system's dnsmasq configuration
> +#LXC_DHCP_CONFILE=/etc/dnsmasq.conf
> diff -Nru lxc-4.0.6/debian/lxc.install lxc-4.0.6/debian/lxc.install
> --- lxc-4.0.6/debian/lxc.install 2021-01-31 18:29:40.000000000 +0100
> +++ lxc-4.0.6/debian/lxc.install 2021-06-11 18:09:06.000000000 +0200
> @@ -12,5 +12,7 @@
> usr/share/man
> var
>
> -debian/contrib/default.conf etc/lxc/
> -debian/contrib/lxc-net etc/default/
> +debian/contrib/default.conf etc/lxc/
> +debian/contrib/lxc-net etc/default/
> +debian/contrib/bin/lxc-unpriv-start usr/bin/
> +debian/contrib/bin/lxc-unpriv-attach usr/bin/
> diff -Nru lxc-4.0.6/debian/lxc.links lxc-4.0.6/debian/lxc.links
> --- lxc-4.0.6/debian/lxc.links 1970-01-01 01:00:00.000000000 +0100
> +++ lxc-4.0.6/debian/lxc.links 2021-06-11 18:09:06.000000000 +0200
> @@ -0,0 +1,2 @@
> +usr/share/man/man1/lxc-attach.1.gz usr/share/man/man1/lxc-unpriv-attach.1.gz
> +usr/share/man/man1/lxc-start.1.gz usr/share/man/man1/lxc-unpriv-start.1.gz
> diff -Nru lxc-4.0.6/debian/lxc.postinst lxc-4.0.6/debian/lxc.postinst
> --- lxc-4.0.6/debian/lxc.postinst 2021-01-31 18:29:40.000000000 +0100
> +++ lxc-4.0.6/debian/lxc.postinst 2021-06-11 14:45:58.000000000 +0200
> @@ -17,7 +17,7 @@
> if [ -z "$2" ] || dpkg --compare-versions "$2" le "1:3.1.0+really3.0.3-2"; then
> if which apparmor_parser > /dev/null && [ -e /etc/apparmor.d/lxc-containers ]; then
> apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers || \
> - echo "Failed to run 'apparmor_parser -rWT /etc/apparmor.d/lxc-containers'. You will probably need to runn it by hand at some point."
> + echo "Failed to run 'apparmor_parser -rWT /etc/apparmor.d/lxc-containers'. You will probably need to run it by hand at some point."
> fi
> fi
> }
> diff -Nru lxc-4.0.6/debian/NEWS lxc-4.0.6/debian/NEWS
> --- lxc-4.0.6/debian/NEWS 2021-01-31 18:29:40.000000000 +0100
> +++ lxc-4.0.6/debian/NEWS 2021-06-11 21:43:27.000000000 +0200
> @@ -1,3 +1,11 @@
> +lxc (1:4.0.6-2) unstable; urgency=medium
> +
> + * A new way of handling unprivileged containers starting and attachment has
> + been made available through the lxc-unpriv-start and lxc-unpriv-attach
> + commands. See /usr/share/doc/lxc/README.Debian.gz for more details.
> +
> + -- Pierre-Elliott Bécue <peb@debian.org> Fri, 11 Jun 2021 15:12:15 +0200
> +
> lxc (1:4.0.2-1~1) experimental; urgency=medium
>
> Major changes in the Debian packaging:
> diff -Nru lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch
> --- lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch 1970-01-01 01:00:00.000000000 +0100
> +++ lxc-4.0.6/debian/patches/0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch 2021-06-11 18:27:18.000000000 +0200
> @@ -0,0 +1,88 @@
> +From: =?utf-8?q?Pierre-Elliott_B=C3=A9cue?= <peb@debian.org>
> +Date: Fri, 11 Jun 2021 18:26:25 +0200
> +Subject: conf: fix containers retaining CAP_NET_ADMIN
> +
> +Historically, /proc/sys/net is rw when proc:mixed is used as a proc
> +mount parameter. This was broken somewhere in lxc 4, and this patch
> +fixed it.
> +---
> + src/lxc/cgroups/cgfsng.c | 2 +-
> + src/lxc/conf.c | 34 +++++++++++++++++-----------------
> + src/lxc/conf.h | 4 ++--
> + 3 files changed, 20 insertions(+), 20 deletions(-)
> +
> +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
> +index 303c2f6..acc64a7 100644
> +--- a/src/lxc/cgroups/cgfsng.c
> ++++ b/src/lxc/cgroups/cgfsng.c
> +@@ -1831,7 +1831,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
> + }
> +
> + if (!wants_force_mount) {
> +- wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
> ++ wants_force_mount = !lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
> +
> + /*
> + * Most recent distro versions currently have init system that
> +diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> +index ae49725..d9217a6 100644
> +--- a/src/lxc/conf.c
> ++++ b/src/lxc/conf.c
> +@@ -620,24 +620,24 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
> + * it's busy... MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for
> + * kernels as low as 2.6.32...
> + */
> +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
> ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
> + /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */
> +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL, 1 },
> +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL, 0 },
> +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
> +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL, 1 },
> +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL, 0 },
> +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
> +- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
> +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, 0 },
> +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, 0 },
> +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
> +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL, 0 },
> +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
> +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL, 0 },
> +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, 0 },
> +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, 0 },
> +- { 0, 0, NULL, NULL, NULL, 0, NULL, 0 }
> ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL, true },
> ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL, false },
> ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
> ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL, true },
> ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL, false },
> ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
> ++ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
> ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false },
> ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false },
> ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
> ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL, false },
> ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
> ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL, false },
> ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
> ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
> ++ { 0, 0, NULL, NULL, NULL, 0, NULL, false }
> + };
> +
> + bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
> +diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> +index 664533b..28b679f 100644
> +--- a/src/lxc/conf.h
> ++++ b/src/lxc/conf.h
> +@@ -509,9 +509,9 @@ static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
> + return false;
> +
> + if (!lxc_list_empty(&conf->keepcaps))
> +- return !in_caplist(cap, &conf->keepcaps);
> ++ return in_caplist(cap, &conf->keepcaps);
> +
> +- return in_caplist(cap, &conf->caps);
> ++ return !in_caplist(cap, &conf->caps);
> + }
> +
> + __hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls);
> diff -Nru lxc-4.0.6/debian/patches/series lxc-4.0.6/debian/patches/series
> --- lxc-4.0.6/debian/patches/series 2021-01-31 18:29:40.000000000 +0100
> +++ lxc-4.0.6/debian/patches/series 2021-06-11 18:28:01.000000000 +0200
> @@ -1,3 +1,4 @@
> 0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch
> 0005-lxc.service-Starts-after-remote-fs.target.patch
> 0006-lxc.pc.in-removes-DLOG_LIBS-which-is-not-expanded-up.patch
> +0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch
> diff -Nru lxc-4.0.6/debian/README.Debian lxc-4.0.6/debian/README.Debian
> --- lxc-4.0.6/debian/README.Debian 2021-01-31 18:29:40.000000000 +0100
> +++ lxc-4.0.6/debian/README.Debian 2021-06-11 18:38:05.000000000 +0200
> @@ -61,7 +61,23 @@
> In recent systems, that should already be the case. Otherwise, you can add
> those entries with `usermod` options --add-subuids and --add-subgids.
>
> -3) Networking configuration
> +3) Permissions checking
> +
> +Make sure that for your user, .local/share/lxc will be accessible (eXecutable
> +bit on the directories) by the root subuid associated with your user (in the
> +example above, it'd be uid 100000.
> +
> +There are at least two solutions if it's not. The firstone is a chmod a+x on
> +the directories. If you chose this one do mind the security implications. In
> +particular, it is recommended in that case to set your container's rootfs with
> +mode 770 or 750 so that any external user can't see its content.
> +
> +An alternative is to use setfacl to just give the access to that uid. As the
> +user who will run the unprivileged container, from your home, run
> +
> +$ setfacl --modify user:100000:x . .local .local/share
> +
> +4) Networking configuration
>
> The easiest way to setup networking is to use lxc-net, which is enabled by
> default for containers started by root. For non-root unprivileged containers,
> @@ -69,7 +85,7 @@
>
> # echo myusername veth lxcbr0 10 >> /etc/lxc/lxc-usernet
>
> -4) Default container configuration
> +5) Default container configuration
>
> Add the following to ~/.config/lxc/default.conf:
>
> @@ -82,13 +98,13 @@
> The lxc.idmap entries must match the id ranges in /etc/subuid and /etc/subgid,
> as explained in step 2 above.
>
> -5) Creating containers
> +6) Creating containers
>
> non-root users can only use the `download` template. Example:
>
> $ lxc-create -t download -n mycontainer -- -d debian -r bullseye -a amd64
>
> -6) Starting containers
> +7) Starting containers
>
> Under the unified groups hierarchy (default in systemd starting with Debian
> 11/bullseye), a non-root user needs lxc-start to have some additional
> @@ -99,11 +115,34 @@
> $ systemd-run --scope --quiet --user --property=Delegate=yes \
> lxc-start -n mycontainer
>
> -7) Managing containers
> +or, lastly, you can use the helper script Debian made available:
> +lxc-unpriv-start. It'll care about using the systemd-run command properly and
> +also to make sure the required environment variables are set properly.
> +
> +8) Managing containers
>
> When not logged in on a graphical session, lxc-attach also requires being run
> -via systemd-run as lxc-start above. Other common actions, such as lxc-stop and
> -lxc-destroy, can be run directly.
> +via systemd-run as lxc-start above. Other common actions, such as lxc-console,
> +lxc-stop and lxc-destroy, can be run directly.
> +
> +Debian also made available a lxc-unpriv-attach command to ease the use of
> +lxc-attach.
> +
> +9) Avoiding containers destruction by systemd
> +
> +When exiting a user session (closing ssh or a tty), the remaining processes
> +running in background die, including the containers. The solution to avoid such
> +an issue is to either have the unprivileged containers running as a user
> +service, or to enable session lingering via loginctl.
> +
> +As a user, if policykit-1 is installed, it's just a call to `loginctl
> +enable-linger`
> +
> +If policykit-1 can't be installed, then one must be root and do a `sudo
> +loginctl enable-linger {username}`.
> +
> +Containers started via systemd-run won't get killed.
>
> -- Evgeni Golov <evgeni@debian.org> Sat, 16 Jul 2016 11:49:16 +0200
> -- Antonio Terceiro <terceiro@debian.org> Sat, 30 Jan 2021 10:02:37 -0300
> + -- Pierre-Elliott Bécue <peb@debian.org> Fri, 11 Jun 2021 15:08:30 +0200
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature