nspawn: devpts not mounted with PrivateUsers

Message

OlafLostViking · #1 Post by **OlafLostViking** » 2017-04-19 09:42

Hi!

Environment wrote:

Debian Stretch (minbase + systemd + systemd-container + ...)

systemd-232 (systemd-232-22_amd64)

My goal
Run each nspawn-container with a dedicated user id.

Unexpected behaviour
Setting up and running nspawn based containers without any PrivateUsers-setting works. The containers run using a random user-id. (Here I seem to misunderstand the manual as it says "false" is the default setting and therefore no mapping at all should happen?)

But as soon as I add a PrivateUsers=true or PrivateUsers=ID setting into the corresponding .nspawn-file, systemd fails while mounting devpts in the container.

Since I like the idea of having a dedicated user for each container (and therefore seeing his uid in ps & co on the host), I did the following:

Code: Select all

# On the host:
$ groupadd -g3777036288 MY_GROUP
$ echo MY_GROUP:3777036288:65536 >> /etc/subgid
$ useradd -d/var/lib/machines/MY_CONTAINER -M -g3777036288 -u3777036288 MY_USER
$ echo MY_USER:3777036288:65536 >> /etc/subguid
$ chown MY_USER:MY_GROUP /var/lib/machines/MY_CONTAINER
$ echo -e "[Exec]\nPrivateUsers=true\n" > /etc/systemd/nspawn/MY_CONTAINER.nspawn
-OR-
$ echo -e "[Exec]\nPrivateUsers=3777036288\n" > /etc/systemd/nspawn/MY_CONTAINER.nspawn
$ machinectl start MY_CONTAINER

(The strangely looking ID represents the container in the upper 16 bits so that nspawn can use the lower 16 bits for the local uids. And not putting anything in /etc/sub?id doesn't change anything. But putting the IDs there is the correct way, right?)

Journalctl shows the following:

Code: Select all

# On the host:
  systemd[1]: Starting Container MY_CONTAINER...
  systemd-nspawn[6345]: Selected user namespace base 3777036288 and range 65536.
  systemd-nspawn[6345]: Failed to mount n/a on /var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_BIND ""): No such file or directory
  systemd-nspawn[6345]: Failed to mount n/a on /var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): Invalid argument
  systemd-nspawn[6345]: Failed to mount devpts on /var/lib/machines/MY_CONTAINER/dev/pts (MS_NOSUID|MS_NOEXEC "newinstance,ptmxmode=0666,mode=620,gid=3777036293"): Invalid argument
  systemd[1]: systemd-nspawn@MY_CONTAINER.service: Main process exited, code=exited, status=1/FAILURE
  systemd[1]: Failed to start Container MY_CONTAINER.
  systemd[1]: systemd-nspawn@MY_CONTAINER.service: Unit entered failed state.
  systemd[1]: systemd-nspawn@MY_CONTAINER.service: Failed with result 'exit-code'.

The first two failed mounts (selinux) happen always - it's a minbase installation after all? - including successful starts of containers (when not using PrivateUsers settings). But the second one seems to lead to the failed start. Systemd creates the gid 3777036293 for the pts mount, which is +5 from my given uid. And 5 is the group tty (which should be the owner of pts).

Code: Select all

# On the host:
$ grep pts /proc/mounts 
  devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

Code: Select all

# On a successfully started container (no PrivateUsers setting, random uid):
$ grep pts /proc/mounts 
  devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=32702469,mode=620,ptmxmode=666 0 0
  devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

I hope all needed information is included in this post!

Thanks

PS: I wonder if this could be connected to https://github.com/systemd/systemd/issues/337?