Bug#934155: lxc: unprivileged lxc container with veth does not start since update to 1:3.1.0+really3.0.4-1 amd64
(too old to reply)
Jarek Slosarczyk
2019-08-07 15:20:02 UTC
Package: lxc
Version: 1:3.1.0+really3.0.4-1
Severity: important

Dear Maintainer,

since update to 1:3.1.0+really3.0.4-1 i cannot use my unprivileged lxc containers with network over veth.
containers refuse to start with interfaces like 'lxc.net.0.type = veth'.

removing 'lxc.net.0.type = veth' from the config file makes the container "usable" again.

downgrade of lxc (liblxc1, libpam-cgfs) to previous version 1:3.1.0+really3.0.3-8 resolves this issue - i can start _with_ veth and have access to network.

this is how the network part of my config file looks like:

lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.name = eth0
lxc.net.0.hwaddr = 00:16:3e:aa:bb:cc
lxc.net.1.type = veth
lxc.net.1.flags = up
lxc.net.1.link = br1
lxc.net.1.name = eth1
lxc.net.1.hwaddr = 00:16:3e:dd:ee:ff

-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (800, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii debconf [debconf-2.0] 1.5.73
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libgcc1 1:9.1.0-10
ii liblxc1 1:3.1.0+really3.0.4-1
ii libseccomp2 2.4.1-2
ii libselinux1 2.9-2
ii lsb-base 10.2019051400

Versions of packages lxc recommends:
ii apparmor 2.13.3-4
ii bridge-utils 1.6-2
ii debootstrap 1.0.115
ii dirmngr 2.2.17-3
ii dnsmasq-base [dnsmasq-base] 2.80-1
ii gnupg 2.2.17-3
ii iproute2 5.2.0-1
ii iptables 1.8.3-2
ii libpam-cgfs 1:3.1.0+really3.0.4-1
ii lxc-templates 3.0.3-1+b1
ii lxcfs 3.0.4-1
ii nftables 0.9.1-2+b1
ii openssl 1.1.1c-1
ii rsync 3.1.3-6+b1
ii uidmap 1:4.7-2

Versions of packages lxc suggests:
ii btrfs-progs 5.2.1-1
ii lvm2 2.03.02-3
ii python3-lxc 1:3.0.3-1+b1

-- Configuration Files:
/etc/apparmor.d/usr.bin.lxc-start changed:
/usr/bin/lxc-start flags=(attach_disconnected, audit) {
#include <abstractions/lxc/start-container>

/etc/default/lxc changed:
STOPOPTS="-a -A -s"
USE_LXC_BRIDGE="false" # overridden in lxc-net
[ ! -f /etc/default/lxc-net ] || . /etc/default/lxc-net

/etc/lxc/default.conf changed:
lxc.net.0.type = empty
lxc.net.1.type = empty

/etc/sysctl.d/30-lxc-inotify.conf [Errno 2] No such file or directory: '/etc/sysctl.d/30-lxc-inotify.conf'

-- debconf information:
Jarek Slosarczyk
2019-08-07 16:00:02 UTC
attached a log file generated with :
lxc-start -F tex --logile texdebug0 --logpriority DEBUG
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Taavi Ilves
2019-08-11 16:40:01 UTC
I had same issue & same error like seen in texdebug0.

I downgraded to 1:3.1.0+really3.0.3-8 from testing and containers
started normally.
Eugene Berdnikov
2019-08-18 19:20:01 UTC
I can't start even a priveleged container (under root).

Kernel: 4.19.0-4-amd64 #1 SMP Debian 4.19.28-2 (2019-03-15) x86_64 GNU/Linux

Problem was solved by downgrade to lxc/liblxc1 1:3.1.0+really3.0.3-8.
Example of debug log in attachement.
Eugene Berdnikov
Jarek Slosarczyk
2019-08-19 14:00:02 UTC

i've digged more into the issue.

Since update from 1:3.1.0+really3.0.3-8 to 1:3.1.0+really3.0.4-1 binary
'lxc-user-nic' is not SUID anymore.

This change looks like:

lxc 1:3.1.0+really3.0.3-8
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic -rwsr-xr-x root:root

lxc 1:3.1.0+really3.0.4-1
/usr/libexec/lxc/lxc-user-nic -rwxr-xr-x root:root

At this moment 'lxc-user-nic' doesn't have permissions to make any
modification in '/run/lxc/nics', and fails with:

lxc-start test0 20190819112823.602 ERROR network - network.c:lxc_create_network_unpriv_exec:2296 - lxc-user-nic fail
ed to configure requested network: Permission denied - Failed to create /run/lxc

Setting SUID to '/usr/libexec/lxc/lxc-user-nic' makes unprivileged container with
veth usable again.

BTW - the same issue still exists in the following version
1:3.1.0+really3.0.4-1.1 of lxc.

() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments