Summary: | sys-libs/glibc : devpts check fails in containers using GID namespaces | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Kai Krakow <hurikhan77+bgo> |
Component: | Current packages | Assignee: | Gentoo Toolchain Maintainers <toolchain> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hydrapolic |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/14240 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | emerge --info systemd |
Description
Kai Krakow
2020-01-04 17:10:13 UTC
I don't think just running systemd-nspawn is enough to break /dev/pts. You are probably doing something very specific, like unprivileged users namespaces. But it's hard to guess as you did not provide actual systemd-nspawn command. On a real system /dev/pts is mounted as: $ cat /proc/mounts | fgrep pts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 On a systemd-nspawn system: $ sudo systemd-nspawn -D ./amd64-unstable # cat /proc/mounts | fgrep pts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0 # ACCEPT_KEYWORDS='**' emerge -v1 =sys-libs/glibc-9999 Please provide a few details: 1. Actual systemd-nspawn command ran 2. 'cat /proc/mounts | fgrep pts' output on host 3. 'cat /proc/mounts | fgrep pts' output on container 4. emerge --info systemd (In reply to Sergei Trofimovich from comment #1) > Please provide a few details: > 1. Actual systemd-nspawn command ran # cat /etc/systemd/nspawn/container.nspawn [Exec] LinkJournal=host ResolvConf=bind-host # Namespace-Id PrivateUsers=65536 [Files] BindReadOnly=/usr/src BindReadOnly=/usr/portage Bind=/mnt/btrfs-pool/distfiles:/usr/portage/distfiles Bind=/mnt/btrfs-pool/packages:/usr/portage/packages PrivateUsersChown=yes [Network] VirtualEthernet=no # sudo systemd-nspawn -D /var/lib/machines/container Spawning container tpl-netactive on /var/lib/machines/container. Press ^] three times within 1s to kill container. Selected user namespace base 65536 and range 65536. > 2. 'cat /proc/mounts | fgrep pts' output on host # fgrep pts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 > 3. 'cat /proc/mounts | fgrep pts' output on container # fgrep pts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=65541,mode=620,ptmxmode=666 0 0 > 4. emerge --info systemd Attached. Created attachment 602594 [details]
emerge --info systemd
(In reply to Kai Krakow from comment #2) > (In reply to Sergei Trofimovich from comment #1) > > Please provide a few details: > > 1. Actual systemd-nspawn command ran > > # cat /etc/systemd/nspawn/container.nspawn > [Exec] > LinkJournal=host > ResolvConf=bind-host > > # Namespace-Id > PrivateUsers=65536 Presence ot this file alone did not change behaviour of my systemd-nspawn command. Passing --private-users=65536 did: # systemd-nspawn --private-users=65536 -D amd64-stable-glibc-2.30 Selected user namespace base 65536 and range 65536 amd64-stable-glibc-2 / # fgrep pts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=65541,mode=620,ptmxmode=666 0 0 The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3aa558e231d4721b384f4239b23b793253be2f42 commit 3aa558e231d4721b384f4239b23b793253be2f42 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-03-28 00:29:16 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-03-28 00:29:16 +0000 sys-libs/glibc: drop devpts mount checks, bug #704780 USE=-suid is a defaut for a while. The check made sense when transition from USE=suid -> USE=-suid was happening. Should not be needed nowadays. The check fails in private-users containers where devpts is mounted as a private group: # systemd-nspawn --private-users=65536 -D amd64-stable-glibc-2.30 Selected user namespace base 65536 and range 65536 amd64-stable-glibc-2.30 # fgrep pts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=65541,mode=620,ptmxmode=666 0 0 PTYs still work in that setup. I guess due to ptmxmode=666 broad permissions. Let's drop the old check and allow more pts configurations. Reported-by: Kai Krakow Closes: https://bugs.gentoo.org/704780 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> sys-libs/glibc/glibc-2.31-r2.ebuild | 24 ------------------------ sys-libs/glibc/glibc-9999.ebuild | 24 ------------------------ 2 files changed, 48 deletions(-) The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9f6a29817f5039507af213da5abb0254b13da19 commit c9f6a29817f5039507af213da5abb0254b13da19 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-05-11 20:52:29 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-05-11 20:52:29 +0000 sys-libs/glibc: drop devpts mount checks, bug #704780 This is the same as b793253be2f42 ("sys-libs/glibc: drop devpts mount checks, bug #704780") applied to stable ebuilds. Toralf reports that sys-apps/bubblewrap also does not follow tty group convention when mounts devpts. Let's drop it from stable ebuilds as well. Reported-by: Toralf Förster Reported-by: Kai Krakow Closes: https://bugs.gentoo.org/704780 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> sys-libs/glibc/glibc-2.30-r8.ebuild | 24 ------------------------ 1 file changed, 24 deletions(-) |