Update console and mount handling for user namespaces

This updates the console handling to chown the console on creation to
the root user within the container.

This also moves the setup mounts from the userns sidecar process into
the main init processes by trying to mknod devices, if it fails on an
EPERM then bind mount the device from the host into the container for
use.  This prevents access issues when the sidecar process mknods the
device for the usernamespace returning an EPERM when writting to
dev/null.

This also adds some error handling for init processes and nsinit updates
with added flags for testing and other functions.

Signed-off-by: Michael Crosby <[email protected]>

Author: crosbymichael

linux_console.go

@@ -12,13 +12,9 @@ import (
 	"github.com/docker/libcontainer/label"
 )
 
-const (
-	containerConsolePath string = "/dev/console"
-)
-
 // NewConsole returns an initalized console that can be used within a container by copying bytes
 // from the master side to the slave that is attached as the tty for the container's init process.
-func NewConsole() (Console, error) {
+func NewConsole(uid, gid int) (Console, error) {
 	master, err := os.OpenFile("/dev/ptmx", syscall.O_RDWR|syscall.O_NOCTTY|syscall.O_CLOEXEC, 0)
 	if err != nil {
 		return nil, err
@@ -30,6 +26,12 @@ func NewConsole() (Console, error) {
 	if err := unlockpt(master); err != nil {
 		return nil, err
 	}
+	if err := os.Chmod(console, 0600); err != nil {
+		return nil, err
+	}
+	if err := os.Chown(console, uid, gid); err != nil {
+		return nil, err
+	}
 	return &linuxConsole{
 		slavePath: console,
 		master:    master,
@@ -78,16 +80,10 @@ func (c *linuxConsole) Close() error {
 func (c *linuxConsole) mount(rootfs, mountLabel string, uid, gid int) error {
 	oldMask := syscall.Umask(0000)
 	defer syscall.Umask(oldMask)
-	if err := os.Chmod(c.slavePath, 0600); err != nil {
-		return err
-	}
-	if err := os.Chown(c.slavePath, uid, gid); err != nil {
-		return err
-	}
 	if err := label.SetFileLabel(c.slavePath, mountLabel); err != nil {
 		return err
 	}
-	dest := filepath.Join(rootfs, containerConsolePath)
+	dest := filepath.Join(rootfs, "/dev/console")
 	f, err := os.Create(dest)
 	if err != nil && !os.IsExist(err) {
 		return err

linux_rootfs.go

@@ -35,52 +35,49 @@ var baseMounts = []*configs.Mount{
 		Destination: "/dev/pts",
 		Device:      "devpts",
 		Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
-		Data:        "newinstance,ptmxmode=0666,mode=620,gid=5",
+		Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
 	},
 }
 
 // setupRootfs sets up the devices, mount points, and filesystems for use inside a
 // new mount namespace.
 func setupRootfs(config *configs.Config) (err error) {
 	if err := prepareRoot(config); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	for _, m := range append(baseMounts, config.Mounts...) {
 		if err := mount(m, config.Rootfs, config.MountLabel); err != nil {
-			return err
+			return newSystemError(err)
 		}
 	}
 	if err := createDevices(config); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	if err := setupPtmx(config); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	// stdin, stdout and stderr could be pointing to /dev/null from parent namespace.
-	// Re-open them inside this namespace.
-	// FIXME: Need to fix this for user namespaces.
-	if !config.Namespaces.Contains(configs.NEWUSER) {
-		if err := reOpenDevNull(config.Rootfs); err != nil {
-			return err
-		}
+	// re-open them inside this namespace.
+	if err := reOpenDevNull(config.Rootfs); err != nil {
+		return newSystemError(err)
 	}
 	if err := setupDevSymlinks(config.Rootfs); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	if err := syscall.Chdir(config.Rootfs); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	if config.NoPivotRoot {
 		err = msMoveRoot(config.Rootfs)
 	} else {
 		err = pivotRoot(config.Rootfs, config.PivotDir)
 	}
 	if err != nil {
-		return err
+		return newSystemError(err)
 	}
 	if config.Readonlyfs {
 		if err := setReadonly(); err != nil {
-			return err
+			return newSystemError(err)
 		}
 	}
 	syscall.Umask(0022)
@@ -209,6 +206,28 @@ func createDeviceNode(rootfs string, node *configs.Device) error {
 	if err := os.MkdirAll(parent, 0755); err != nil {
 		return err
 	}
+	if err := mknodDevice(dest, node); err != nil {
+		if os.IsExist(err) {
+			return nil
+		}
+		// containers running in a user namespace are not allowed to mknod
+		// devices so we can just bind mount it from the host.
+		if err == syscall.EPERM {
+			f, err := os.Create(dest)
+			if err != nil {
+				if os.IsExist(err) {
+					return nil
+				}
+				return err
+			}
+			f.Close()
+			return syscall.Mount(node.Path, dest, "bind", syscall.MS_BIND, "")
+		}
+	}
+	return nil
+}
+
+func mknodDevice(dest string, node *configs.Device) error {
 	fileMode := node.FileMode
 	switch node.Type {
 	case 'c':
@@ -218,13 +237,10 @@ func createDeviceNode(rootfs string, node *configs.Device) error {
 	default:
 		return fmt.Errorf("%c is not a valid device type for device %s", node.Type, node.Path)
 	}
-	if err := syscall.Mknod(dest, uint32(fileMode), node.Mkdev()); err != nil && !os.IsExist(err) {
-		return fmt.Errorf("mknod %s %s", node.Path, err)
-	}
-	if err := syscall.Chown(dest, int(node.Uid), int(node.Gid)); err != nil {
-		return fmt.Errorf("chown %s to %d:%d", node.Path, node.Uid, node.Gid)
+	if err := syscall.Mknod(dest, uint32(fileMode), node.Mkdev()); err != nil {
+		return err
 	}
-	return nil
+	return syscall.Chown(dest, int(node.Uid), int(node.Gid))
 }
 
 func prepareRoot(config *configs.Config) error {
@@ -251,16 +267,8 @@ func setupPtmx(config *configs.Config) error {
 		return fmt.Errorf("symlink dev ptmx %s", err)
 	}
 	if config.Console != "" {
-		uid, err := config.HostUID()
-		if err != nil {
-			return err
-		}
-		gid, err := config.HostGID()
-		if err != nil {
-			return err
-		}
 		console := newConsoleFromPath(config.Console)
-		return console.mount(config.Rootfs, config.MountLabel, uid, gid)
+		return console.mount(config.Rootfs, config.MountLabel, 0, 0)
 	}
 	return nil
 }

linux_userns_init.go

@@ -6,6 +6,7 @@ import (
 	"syscall"
 
 	"github.com/docker/libcontainer/apparmor"
+	"github.com/docker/libcontainer/configs"
 	"github.com/docker/libcontainer/label"
 	"github.com/docker/libcontainer/system"
 )
@@ -17,63 +18,69 @@ type linuxUsernsInit struct {
 func (l *linuxUsernsInit) Init() error {
 	// join any namespaces via a path to the namespace fd if provided
 	if err := joinExistingNamespaces(l.config.Config.Namespaces); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	consolePath := l.config.Config.Console
 	if consolePath != "" {
 		// We use the containerConsolePath here, because the console has already been
 		// setup by the side car process for the user namespace scenario.
-		console := newConsoleFromPath(containerConsolePath)
+		console := newConsoleFromPath(consolePath)
 		if err := console.dupStdio(); err != nil {
-			return err
+			return newSystemError(err)
 		}
 	}
 	if _, err := syscall.Setsid(); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	if consolePath != "" {
 		if err := system.Setctty(); err != nil {
-			return err
+			return newSystemError(err)
 		}
 	}
 	if l.config.Cwd == "" {
 		l.config.Cwd = "/"
 	}
 	if err := setupRlimits(l.config.Config); err != nil {
-		return err
+		return newSystemError(err)
+	}
+	// InitializeMountNamespace() can be executed only for a new mount namespace
+	if l.config.Config.Namespaces.Contains(configs.NEWNS) {
+		if err := setupRootfs(l.config.Config); err != nil {
+			return newSystemError(err)
+		}
 	}
 	if hostname := l.config.Config.Hostname; hostname != "" {
 		if err := syscall.Sethostname([]byte(hostname)); err != nil {
-			return err
+			return newSystemError(err)
 		}
 	}
 	if err := apparmor.ApplyProfile(l.config.Config.AppArmorProfile); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	if err := label.SetProcessLabel(l.config.Config.ProcessLabel); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	for _, path := range l.config.Config.ReadonlyPaths {
 		if err := remountReadonly(path); err != nil {
-			return err
+			return newSystemError(err)
 		}
 	}
 	for _, path := range l.config.Config.MaskPaths {
 		if err := maskFile(path); err != nil {
-			return err
+			return newSystemError(err)
 		}
 	}
 	pdeath, err := system.GetParentDeathSignal()
 	if err != nil {
-		return err
+		return newSystemError(err)
 	}
 	if err := finalizeNamespace(l.config); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	// finalizeNamespace can change user/group which clears the parent death
 	// signal, so we restore it here.
 	if err := pdeath.Restore(); err != nil {
-		return err
+		return newSystemError(err)
 	}
 	// Signal self if parent is already dead. Does nothing if running in a new
 	// PID namespace, as Getppid will always return 0.

linux_userns_sidecar_init.go

@@ -2,11 +2,6 @@
 
 package libcontainer
 
-import (
-	"github.com/docker/libcontainer/configs"
-	"github.com/docker/libcontainer/label"
-)
-
 // linuxUsernsSideCar is run to setup mounts and networking related operations
 // for a user namespace enabled process as a user namespace root doesn't
 // have permissions to perform these operations.
@@ -24,12 +19,5 @@ func (l *linuxUsernsSideCar) Init() error {
 	if err := setupRoute(l.config.Config); err != nil {
 		return err
 	}
-	label.Init()
-	// InitializeMountNamespace() can be executed only for a new mount namespace
-	if l.config.Config.Namespaces.Contains(configs.NEWNS) {
-		if err := setupRootfs(l.config.Config); err != nil {
-			return err
-		}
-	}
 	return nil
 }