Elias Olivares wrote: > Hi ! > > I've tried to reproduce this bug on 0.6.5 lxc release and the same bug > appears when i run the umount command or rmmod command. > > To reproduce the bug : > > Host name : debian > Guest container name : container > > You MUST create a dedicated partition to share your containers (an other > partition than " / ") > > debian:# df > > /dev/hda1 7850996 2058732 5393452 28% / > tmpfs 253768 0 253768 0% /lib/init/rw > udev 10240 108 10132 2% /dev > tmpfs 253768 0 253768 0% /dev/shm > /dev/hdb1 4127076 552552 3364880 15% /mnt/vmr1 > > Then enter into the container (lxc-console -n container) and stop cron, > syslog, bind 9,ssh processes. > > container:~# ps aux > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 1 0.0 0.1 1984 692 ? Ss 11:10 0:00 init [2] > root 387 0.0 0.4 5884 2272 console Ss 11:10 0:00 /bin/login -- > root 388 0.0 0.1 1992 572 tty1 Ss+ 11:10 0:00 /sbin/getty 38400 tty1 > root 389 0.0 0.1 1992 568 tty2 Ss+ 11:10 0:00 /sbin/getty 38400 tty2 > root 390 0.0 0.1 1992 568 tty3 Ss+ 11:10 0:00 /sbin/getty 38400 tty3 > root 392 0.0 0.5 4132 2680 console S 11:11 0:00 -bash > root 584 0.0 0.1 2644 956 console R+ 11:43 0:00 ps aux > > Then use the mount command : > > container:~# mount -o remount,ro / > > Return to the Host and try to create a file in /mnt/vmr1/ . The folder is set > in "read only".
For this one, I don't know if it's a kernel bug or a lxc bug. To be investigated ... > The second bug : > > Install ntfs module in the host : (exemple with ntfs module) > > debian:# modprobe ntfs > > Enter into the container and delete ntfs module > > container:~# rmmod ntfs > > Return to the host : the module has been removed > > Does anyone have solved this problem ? > > I think it is a major security problem. You have to drop the sys_module capability for the container. That is done by adding in the container configuration file: lxc.cap.drop = sys_module If you want to drop more capabilities, you can refer to the capabilities (7) man page. If you want to drop for example CAP_SYS_TIME, add lxc.cap.drop = sys_time Thanks -- Daniel ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
