[SOLVED] Update shadow for -current please?

chris.willing · 06-30-2014, 05:12 AM

Hi mancha,

I already sent the request to Pat earlier today - before you brought up the CVE - but I gave him a link to this discussion so hopefully he will see it.

Hi ml4711,

The CONFIG_MEMCG & CONFIG_MEMCG_KMEM options are already turned on in the 3.4.15 kernel in -current. In the stock 3.10.17 kernels of 14.1, CONFIG_MEMCG is not set and CONFIG_MEMCG_KMEM doesn't seem to exist. In fact I don't see CONFIG_USER_NS in 3.10.17 either. I guess it must have been introduced some time later in the 3.10 series, since mancha has mentioned that a related vulnerability was fixed by 3.10.44.

chris

Drakeo · 06-30-2014, 06:12 AM

Quote:

Originally Posted by mancha

Isn't his question about Slackware?

===

The OP makes a good case why the new Shadow version should be considered for the next Slackware release. Being able to use
user namespaces with LXC containers is a very important feature. Without that, LXC containment is rather unsafe: uid 0 inside
the container is uid 0 outside meaning an escape from isolation can have catastrophic consequences. It doesn't end there; To
improve the security of your LXC container you need to also be concerned with issues like resource sharing, etc.

Also, if the new Shadow is going to end up in the next Slackware, inclusion in Slackware-current is better sooner than later to
increase the probability bugs/issues/etc. are found and reported before the stable release.

Chris:

Pat visits LQ but I am not sure how regularly. You might want to also send a similar request directly to him via email. In addition
to the Shadow bump you would need to request that Pat: a) upgrade to LXC 1.0+ (as of 20140602, 1.0.3 is the latest), and
b) add user namespace support to the kernel (CONFIG_USER_NS). When doing that I recommend adding memory resource
controllers (CONFIG_MEMCG & CONFIG_MEMCG_KMEM).

--mancha

ok thanks

chris.willing · 07-13-2014, 08:40 PM

Latest -current has all the required stuff in it now. From the ChangeLog:

a/shadow-4.2.1-x86_64-1.txz: Upgraded.
This adds support for subuid and subgid needed for unprivileged containers.
ap/cgmanager-20140710_986cd44-x86_64-1.txz: Added.
ap/lxc-1.0.3-x86_64-1.txz: Upgraded.
This adds a template for for lxc-create to create a minimal Slackware container using slackpkg.
k/kernel-source-3.14.12-noarch-1.txz: Upgraded.
Added back CONFIG_USER_NS=y now that it no longer conflicts with XFS.
l/libnih-1.0.3-x86_64-1.txz: Added.

The MEMCG and MEMCG_KMEM options were already set in the -current kernel.

Thanks to Matteo for the cgmanager & libnih packages which have been included (also for slackpkg based template included with lxc-1.0.3 update - although 1.0.4 has been available for about a month now, see: https://linuxcontainers.org/news/ for changes).

Thanks Pat for considering & including the new & updated packages.

chris

ponce · 07-14-2014, 01:37 PM

Quote:

Originally Posted by chris.willing

although 1.0.4 has been available for about a month now, see: https://linuxcontainers.org/news/ for changes).

1.0.5 has just been released: will test it very soon

chris.willing · 07-14-2014, 09:56 PM

Thanks for the tip off about lxc-1.0.5 Matteo. I was trying to reproduce the unprivileged container stuff that had worked previously using the latest -current. I spent all day yesterday on it but couldn't make it work. It turns out that the -current kernel version went from 3.14.5 (which I was previously using with a patch to enable user namespace) to 3.14.12 which had some other updates which prevented lxc-1.0.{3,4} from working correctly for unprivileged containers. The fixes went into 1.0.5 which I downloaded & built when you mentioned it was available.

So, its all working again now but definitely needs lxc-1.0.5 for the unprivileged containers to work.

BTW, one thing I noticed in unprivileged mode is that starting klogd (from rc.syslog) makes the container appear to hang at startup (it actually starts again after a minute or so but I've given up by then). The solution is to change the rc.syslog in the container so that it does:
/usr/sbin/klogd -c 3 -x -s
(instead of /usr/sbin/klogd -c 3 -x)

Also, a minor suggestion for the template; could you add something like PATH=/sbin:/usr/sbin:$PATH near the beginning please? I tend to run as normal user and invoke with sudo e.g.
sudo lxc-create -n current -t slackware
but since /sbin isn't in my PATH, calling installpkg in the template fails. Then I have to do
sudo PATH=/sbin:/usr/sbin:$PATH lxc-create -n current -t slackware
to make it work.

chris

chris.willing · 07-14-2014, 11:54 PM

One other thing Matteo, with regard to your cgmanager package that Pat has accepted, it would be really useful if it would include an rc.cgmanager script to start the cgmanager daemon at boot time. I made my own very simple one - in the start function it just does:

/usr/sbin/cgmanager --daemon

and in the stop function:

/usr/bin/pkill cgmanager

I call mine from rc.local but eventually it may be better to start it from rc.M, or even rc.S where the cgroup initialisation is done.

chris

ponce · 07-15-2014, 09:15 AM

thanks Chris for the hints!

Quote:

Originally Posted by chris.willing

BTW, one thing I noticed in unprivileged mode is that starting klogd (from rc.syslog) makes the container appear to hang at startup (it actually starts again after a minute or so but I've given up by then). The solution is to change the rc.syslog in the container so that it does:
/usr/sbin/klogd -c 3 -x -s
(instead of /usr/sbin/klogd -c 3 -x)

done.

Quote:

Also, a minor suggestion for the template; could you add something like PATH=/sbin:/usr/sbin:$PATH near the beginning please? I tend to run as normal user and invoke with sudo e.g.
sudo lxc-create -n current -t slackware
but since /sbin isn't in my PATH, calling installpkg in the template fails. Then I have to do
sudo PATH=/sbin:/usr/sbin:$PATH lxc-create -n current -t slackware
to make it work.

done.
here is the modified build script

Quote:

Originally Posted by chris.willing

One other thing Matteo, with regard to your cgmanager package that Pat has accepted, it would be really useful if it would include an rc.cgmanager script to start the cgmanager daemon at boot time. I made my own very simple one - in the start function it just does:

/usr/sbin/cgmanager --daemon

and in the stop function:

/usr/bin/pkill cgmanager

I call mine from rc.local but eventually it may be better to start it from rc.M, or even rc.S where the cgroup initialisation is done.

I added this /etc/rc.d/rc.cgmanager file locally (modified build script)

Code:

#!/bin/sh
# rc.cgmanager init script
# Written by Matteo Bernardini <ponce@slackbuilds.org>
# Suggested by Christoph Willing <chris.willing@iinet.net.au>

start_cgmanager() {
  /usr/sbin/cgmanager --daemon
}

stop_cgmanager() {
  /usr/bin/pkill cgmanager
}

restart_cgmanager() {
  stop_cgmanager
  start_cgmanager
}

case "$1" in
'start')
  start_cgmanager
  ;;
'stop')
  stop_cgmanager
  ;;
'restart')
  restart_cgmanager
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

and this block to /etc/rc.d/rc.S (trying to follow also the advices in the README)

Code:

--- rc.S.orig   2014-07-15 15:13:16.383429282 +0200
+++ rc.S        2014-07-15 14:39:18.683145530 +0200
@@ -67,6 +67,10 @@
       # We can't use autodetection so fall back mounting them all together
       mount -t cgroup cgroup /sys/fs/cgroup
     fi
+    # Start cgmanager
+    if [ -x /etc/rc.d/rc.cgmanager ]; then
+      . /etc/rc.d/rc.cgmanager start
+    fi
   else
     mkdir -p /dev/cgroup
     mount -t cgroup cgroup /dev/cgroup

can you please check if it's ok?

I'll have a look in packaging Serge's nsexec stuff (for uidmapshift), as I haven't tested userns yet...
I've read your related posts in the lxc-users ML, so I'll hope they can help me to try them

genss · 07-15-2014, 09:19 AM

ponce, restart should be quoted i think

chris.willing · 07-15-2014, 09:58 PM

All those changes work great, thanks Matteo.

I see Pat has already update to lxc-1.0.5 in today's updates - it would have been good to include the updated template at the same time. Oh well ..

Some more on the template though - we don't need an explicit lxc.rootfs = $rootfs (from the .in file) because lxc-create now adds it to the final config file already.
Similarly, if you add the line:

lxc.mount.auto = proc sys cgroup

to the /etc/lxc/default.conf file, then lxc-create adds those systems to the container config file so that they don't need to be set in the container fstab. Therefore I was able to remove the lines

none $rootfs/proc proc 0 0
none $rootfs/sys sysfs 0 0

from the template. After lxc-create, the container config file has automatically added

lxc.mount.auto proc:mixed sys:ro cgroup

and those virtual file systems exist and work as normal in the running container.

I'm not sure what the lxcpts $rootfs/dev/pts devpts 0 0 (also in the container fstab) will do. I removed it to test and everything still seems normal without it.

The uidmapshift is at http://bazaar.launchpad.net/~serge-h...k/nsexec/files. Maybe all the stuff there is useful to perhaps make some sort of lxc-tools package but I've used only the container-userns-convert script and uidmapshift.c which compiled locally without any of the other .c files there.

chris

chris.willing · 07-17-2014, 09:17 PM

Hey Matteo,

I had better idea about how to arrange proc, sys, cgroup mounts in the container template. Rather than adding "lxc.mount.auto = proc sys cgroup" into /etc/lxc/default.conf (from which lxc-create would add "lxc.mount.auto = proc:mixed sys:ro cgroup" into the container config file), you could add the line "lxc.mount.auto = proc:mixed sys:ro cgroup" into the template (in the copy_configuration() function just before "lxc.mount = $rootfs/etc/fstab") and remove the lines "none $rootfs/proc proc defaults 0 0" and "none $rootfs/sys sysfs defaults 0 0" (where the container fstab is set up). I just tried that this morning and it works fine for both ordinary and unprivileged containers.

Here's a diff against the the lxc-slackware.in from your earlier update

Code:

diff -urN lxc-slackware.in.orig lxc-slackware.in
--- lxc-slackware.in.orig       2014-07-16 09:55:03.927369565 +1000
+++ lxc-slackware.in    2014-07-18 10:41:48.318987059 +1000
@@ -117,9 +117,7 @@
 echo "Adding an etc/fstab that must be modified later with the"
 echo "full path of the container's rootfs if you decide to move it."
 cat >$rootfs/etc/fstab <<EOF
-lxcpts $rootfs/dev/pts devpts defaults,newinstance 0 0
-none $rootfs/proc    proc   defaults 0 0
-none $rootfs/sys     sysfs  defaults 0 0
+#lxcpts $rootfs/dev/pts devpts defaults,newinstance 0 0
 none /dev/shm tmpfs defaults 0 0
 none /run tmpfs defaults,mode=0755 0 0
 EOF
@@ -635,6 +633,7 @@
 
 lxc.utsname = $name
 
+lxc.mount.auto = proc:mixed sys:ro cgroup
 lxc.mount = $rootfs/etc/fstab
 
 lxc.tty = 4

The big benefit is being able to remove any path based entry in the container fstab. This is important when changing an ordinary container into an unprivileged container. In that situation, after doing the uidmapshift, you would copy the whole container named (for instance) test1 from /var/lib/lxc/test1 to ~/.local/share/lxc/test1. In the new location, you have to edit any paths in the container using its old location and naturally this is error prone so its good to minimize the number to do. Typically there are two such paths in test1/config - hopefully that would be all. However with current template there are still paths in test1/rootfs/etc/fstab which presume the old /var/lib/lxc/test1 location for mounting /proc and /sys - they can be avoided by having "lxc.mount.auto = proc:mixed sys:ro cgroup" in the template instead.

BTW I've started on a howto at http://www.darlo.tv/lxc/unpriv-slackware.html. I thought I'd do it in two parts - 1st one there now about setting up; then a part 2 about creating ordinary container and converting to unprivileged.

chris