Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply default lxc.cap.drop to all lxc by os does not work with debian.common.conf #4396

Open
lva-itscope opened this issue Feb 8, 2024 · 0 comments
Open

Apply default lxc.cap.drop to all lxc by os does not work with debian.common.conf #4396

lva-itscope opened this issue Feb 8, 2024 · 0 comments

Comments

@lva-itscope
Copy link

lva-itscope commented Feb 8, 2024
edited

Required information

  • Distribution: debian (Proxmox)
  • Distribution version: 12 (Proxmox Version 8)
  • The output of
    • lxc-start --version 5.0.2
    • lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-5.15.116-1-pve

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled
Cgroup namespace: enabled
Cgroup v1 mount points:
Cgroup v2 mount points:
- /sys/fs/cgroup
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
  • uname -a
    Linux humboldt 5.15.116-1-pve #1 SMP PVE 5.15.116-1 (2023-08-29T13:46Z) x86_64 GNU/Linux

Issue description

We are running LXC debian 12 based containers on our Proxmox Cluster (Version 8.0.4) and had the problem that some systemd related services where shown as failed.
We could resolve this by adding lxc.cap.drop: sys_rawio sys_module audit_read to our lxc config (/etc/pve/lxc/.conf) and this works just fine (We found this useful Blog post).

But of course we don't want to add this line manually to all our containers. Instead we would like to make use of usr/share/lxc/config/debian.common.conf as mentioned here. Unfortunately, I was not able to make this work. I also posted this on the proxmox forum but I wanted to ask here as well as it seems to be something related directly to lxc.

Steps to reproduce

  1. I added lxc.cap.drop = sys_rawio sys_module audit_read to the debian.common.conf file but it seemed to have no effect.
  2. . I (on purpuose) messed the line up and it took effect (cotnainer console on proxmox showed parsing error). So I assume that in fact the config is in some way being applied.
  3. I tried different ways for the syntax of the line mentionend i.e. using lxc.cap.drop: sys_rawio sys_module audit_read, lxc.cap.drop = sys_rawio sys_module audit_read, lxc.cap.drop = "sys_rawio sys_module audit_read" all of which had no effect to my container.
  4. It does still not apply those setting and when using capsh --print inside the container I can confirm that my cap.drop had no effect, However, adding it to the container config directly as mentioned in my first sentence still works.

Information to attach

  • output of capsh --print
    When it does not work:
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)

When it works:

Current: =ep cap_sys_module,cap_sys_rawio,cap_audit_read-ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB: !cap_sys_module,!cap_sys_rawio,!cap_audit_read
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
  • Logs when I mess up the config
lxc-stop: 105: ../src/lxc/confile.c: add_cap_entry: 2471 Invalid argument - Invalid capability specified
lxc-stop: 105: ../src/lxc/parse.c: lxc_file_for_each_line_mmap: 129 Failed to parse config file "/usr/share/lxc/config/debian.common.conf" at line "lxc.cap.drop = sys_raw""
lxc-stop: 105: ../src/lxc/parse.c: lxc_file_for_each_line_mmap: 129 Failed to parse config file "/var/lib/lxc/105/config" at line "lxc.include = /usr/share/lxc/config/debian.common.conf"
Failed to load config for 105
lxc-stop: 105: ../src/lxc/tools/lxc_stop.c: main: 143 Error opening container
command 'lxc-stop -n 105' failed: exit code 1
  • config at /usr/share/lxc/config/debian.common.conf
# This derives from the global common config
lxc.include = /usr/share/lxc/config/common.conf

# Doesn't support consoles in /dev/lxc/
lxc.tty.dir =

# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.apparmor.profile = unconfined

# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.apparmor.profile = lxc-container-default-with-mounting

# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm

# Drop capabilities that cause errors. 
lxc.cap.drop = sys_rawio

Thanks in advanced for any help!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lva-itscope