Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 425790

Summary: openrc-0.10.5 lxc problems
Product: Gentoo Hosted Projects Reporter: Permjacov E. A. <permeakra>
Component: OpenRCAssignee: OpenRC Team <openrc>
Status: RESOLVED FIXED    
Severity: major CC: flameeyes, nikoli, permeakra
Priority: Normal    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 417391    
Attachments: lxc.conf file
rc.log whit errors
0001-sysfs-add-lxc-keyword.patch

Description Permjacov E. A. 2012-07-11 10:02:45 UTC 
/etc/init.d/net.lo requires sysfs to start. this is ok for standalone installation. This is NOT ok for lxc-guest, when sysfs is mounted and managed by host.

Reproducible: Always

Steps to Reproduce:
1. setup lxc gentoo container with externally mounted sysfs
2. install =openrc-0.10.5 in container
3. reboot container
Actual Results:  
net.lo and symlinks to it cannot be started because of dependency on sysfs

Expected Results:  
successfully started net.lo

As a workaround I commented out lines

#       if [ "$RC_UNAME" = Linux ]; then
#               need sysfs
#       fi

and continer starts as expected. This lines appeared after updating from openrc-0.9.8.4 to openrc-0.10.5 after I migrated one of my containers to unstable branch. 

Again: the problem is specific for the case when sysfs is mounted from outside lxc container and attempted to be mounted from within comtainer because of starting network subsystem, when many subsystems should not start (for example, udev).
Comment 1 Permjacov E. A. 2012-07-11 10:06:12 UTC 
Created attachment 317906 [details]
lxc.conf file

lxc.conf I uses for starting container. lxc host is Kubuntu 12.04 amd64 with 0.7.5-3ubuntu59 package installed

I can upload container image tarball to my VPS by request.
Comment 2 Permjacov E. A. 2012-07-11 11:14:37 UTC 
Hmmmm.

It looks like problem is located elsewhere, since without failed attempt to start /etc/init.d/sysfs network (/etc/init.d/net.eth0) does not start.
Comment 3 Permjacov E. A. 2012-07-11 11:47:09 UTC 
the problem is somehow related to mount_cgroup call in sysfs.
Comment 4 William Hubbs gentoo-dev 2012-07-11 18:17:51 UTC 
I need to see a startup log from the container if possible.
Uncomment the line in /etc/rc.conf that says rc_logger="YES", reboot the
container, then attach /var/log/rc.log to the bug.

Thanks,

William
Comment 5 Permjacov E. A. 2012-07-11 18:41:51 UTC 
Created attachment 317940 [details]
rc.log whit errors

I added rc.log. With lxc I also see console output from container.
Comment 6 Permjacov E. A. 2012-07-11 18:55:25 UTC 
http://main.permeakra.co.cc/dserv.tar.gz

here you can find image of my container. It has slightly modified /etc/init.d stuff.
Comment 7 William Hubbs gentoo-dev 2012-08-21 17:03:04 UTC 
Created attachment 321886 [details]
0001-sysfs-add-lxc-keyword.patch

This patch, along with adding sysfs to the boot runlevel, should fix
the issue.
Comment 8 William Hubbs gentoo-dev 2012-08-21 17:05:52 UTC 
@flameeyes:
Please put openrc git into an lxc, apply this patch, add sysfs to the
boot runlevel, and let me know if everything boots successfully.
Comment 9 William Hubbs gentoo-dev 2012-08-21 17:24:25 UTC 
@flameeyes:
Thinking about this more after seeing your comment on irc, you might be
able to apply the patch to ~arch OpenRC. If that applies cleanly, go
ahead and test there.
Comment 10 William Hubbs gentoo-dev 2012-09-10 01:09:54 UTC 
@flameeyes:
What is your status on this bug? Have you been able to look at it?

Thanks,

William
Comment 11 Walter 2012-09-29 04:55:01 UTC 
Note mounting sysfs in lxc guests is sometimes a security hole - see http://blog.bofh.it/debian/id_413
Comment 12 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-09-29 05:12:29 UTC 
(The good news is that I was able to fix Excelsior and the two tinderboxes so I can test it this weekend, finally!)

As for sysfs mounting.. yes it's a security hole, no it's definitely not the only one. I already said that giving root on an LXC guest is just as bad as having root on the host, and until they make _huge_ changes that's not going to change.
Comment 13 William Hubbs gentoo-dev 2012-10-02 21:20:46 UTC 
@flameeyes:
I applied the first part of this patch in commit ae9acfa.
Now, sysfs will not run in an lxc guest.

To make only this happen on your box to test, which is what I recommend
at this point, add the following to /etc/conf.d/sysfs:

rc_keyword="-lxc"

Once you get that added, let me know what happens.
I can tell you that networking might fail because there are a couple of
places in the oldnet scripts where we rely on sysfs. But, once we know
where those are, we can fix them.
Comment 14 William Hubbs gentoo-dev 2012-10-17 01:13:52 UTC 
The original issue on this bug was that the sysfs script was running
inside the container, which should not be happening. This is fixed in
commit ae9acf and will be included in OpenRC 0.11.
Comment 15 Permjacov E. A. 2012-11-22 11:43:09 UTC 
(In reply to comment #14)
> The original issue on this bug was that the sysfs script was running
> inside the container, which should not be happening. This is fixed in
> commit ae9acf and will be included in OpenRC 0.11.

Yeah, indeed. Checked it, worked fine. Thanks.