User namespace over 9p

User namespace over 9p

[Alin Dobre]

Hello,

Continuing the struggle to run containers over the 9p filesystem I am
now running into another issue.

A simple container with user namespace mapping UID -2 (4294967294) to
root can run a container image found in /tmp/src without any problems.
When I export that /tmp/src path via 9p and mount it in /tmp/dst,
running the same container over /tmp/dst fails to allow chown (and
probably chmod) system calls to be successful. This happens because 9p
considers that the UID which runs the system calls is actually -2, but
it's actually 0, because the lchown system call is run inside the
namespace, not outside it. So, 9p should consider that the UID which
does the system call is root.

Do I understand this correctly as a problem, or does it work as
intended? If latter, do you have any insights on how to achieve running
containers in this scenario?

Cheers,
Alin.

Re: User namespace over 9p

[Eric W. Biederman]

Alin Dobre <alin.dobre-1hSFou9RDDldEee+Cai+ZQ@public.gmane.org> writes:

> Hello,
>
> Continuing the struggle to run containers over the 9p filesystem I am
> now running into another issue.
>
> A simple container with user namespace mapping UID -2 (4294967294) to
> root can run a container image found in /tmp/src without any problems.
> When I export that /tmp/src path via 9p and mount it in /tmp/dst,
> running the same container over /tmp/dst fails to allow chown (and
> probably chmod) system calls to be successful. This happens because 9p
> considers that the UID which runs the system calls is actually -2, but
> it's actually 0, because the lchown system call is run inside the
> namespace, not outside it. So, 9p should consider that the UID which
> does the system call is root.

No the UID is actually -2. (-2 is a little dangerous to use because
sometimes -2 is used for the nobody user and similar special purposes).

There is some minor relaxation of the rules in the vfs to allow changing
to a uid you have mapped in your user namespace.  Which is why chown
works at all.

> Do I understand this correctly as a problem, or does it work as
> intended? If latter, do you have any insights on how to achieve running
> containers in this scenario?

If the permission check is made on the kernel with user namespaces we
can reasonablly make it work.  Otherwise we can not.  That is a danger
of using remote filesystems they can sometimes have weird arbitrary
rules you were not expected.

Eric

Re: User namespace over 9p

[Alin Dobre]

Eric, thanks for the response.

On 27/05/14 11:39, Eric W. Biederman wrote:
>> Do I understand this correctly as a problem, or does it work as
>> > intended? If latter, do you have any insights on how to achieve running
>> > containers in this scenario?
> If the permission check is made on the kernel with user namespaces we
> can reasonablly make it work.  Otherwise we can not.  That is a danger
> of using remote filesystems they can sometimes have weird arbitrary
> rules you were not expected.
> 

I'm using diod as the 9p server, and it seems that it receives the
calling UID as -2 from the 9p kernel module on the client side, which
has user namespaces enabled.

Cheers,
Alin.

Re: User namespace over 9p

[Alin Dobre]

On 27/05/14 11:39, Eric W. Biederman wrote:
> If the permission check is made on the kernel with user namespaces we
> can reasonablly make it work.

I'm pretty sure this is the case and I appreciate your help on this matter.

Cheers!
Alin.

Re: User namespace over 9p

[Eric W. Biederman]

Alin Dobre <alin.dobre-1hSFou9RDDldEee+Cai+ZQ@public.gmane.org> writes:

> On 27/05/14 11:39, Eric W. Biederman wrote:
>> If the permission check is made on the kernel with user namespaces we
>> can reasonablly make it work.
>
> I'm pretty sure this is the case and I appreciate your help on this
> matter.

Point me to the permission check in 9p on the client that is failing and
I can advise you on how to update the permission check safely.

Eric