Unprivileged LXC and grsecurity kernel
#1
Sat, 2017-03-04 09:57
fludardes
-
- Offline
- 11 months 17 hours ago
- 2017-03-04
Hello. Excuse me, please, but it seems that there is some kind of incompatibility between grsec kernel variants and the use of unprivileged LXC containers... Or maybe I do something wrong.
I try to create such container with command
# lxc-create -B btrfs -f /etc/lxc/default.conf -n alpine_1 -t download -- -d alpine -r 3.4 -a i386
/etc/lxc/default.conf
I have created and changed to something like:# Alpine fix from /etc/lxc/lxc.conf lxc.cgroup.use = @kernel ... # Mapping lxc.id_map = u 0 100000 65536 lxc.id_map = g 0 100000 65536
The root user has a subuid and subgid range.
But I receive an error:
newuidmap: Target process 2106 is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:30 error mapping child setgid: Invalid argument lxc-create: lxccontainer.c: create_run_template: 1290 container creation template for ... failed lxc-create: tools/lxc_create.c: main: 318 Error creating container
Maybe, this github issue is related to the problem...
It works with vanilla kernel on Alpine Linux, also it works on Arch Linux with grsec kernel from their repo (their version is built without GRKERNSEC_SYSFS_RESTRICT
)
I just hope - is there some workaround without kernel rebuild? Sorry.
Alpine Linux v3.5, kernel: 4.4.52-0-virtgrsec
Thanks.
Try booting with the kernel parameter
grsec_sysfs_restrict=0
.On top of that you might also need to set
via sysctl.
Alpine version 3.5 (both container and host) works for me in this configuration.
Oh, thanks a lot! Without that I had to compile a custom kernel. Maybe, it will be nice to have a hint for this in Wiki.
I'm running linux-hardened on edge and it doesn't work here on unprivileged containers on lxd with above mentioned grsec relaxations. Actually, i've disabled all grsec settings available in sysctl as a matter of panic mode (+kernel cmdline). But i still get the same errors like above. Vanilla kernel works fine indeed.
Someone mentioned that the kernel cmdline option is not effective at all: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888702. Not sure if that's the same problem.
Anyone tested lxc/lxd lately on edge or 3.7 with hardened kernel?