[pve-devel] [PATCH container] Remove mknod call from pre-start hook

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Feb 4 13:35:45 CET 2016 

On Thu, Feb 04, 2016 at 01:07:03PM +0100, Fabian Grünbichler wrote:
> Since lxc.autodev defaults to 1, LXC will mount /dev as
> tmpfs an populate it. The removed code was unnecessary,
> since the device node was not accessable in the container
> anyway. A /dev mountpoint is mounted into the rootfs and
> accessable under its mountpoint, even if there is no
> associated /dev node in the container.
> 
> To make matters worse, there was no cleanup for this device
> node, which made all but the first boot of containers with
> a configured /dev mountpoint fail until the host itself was
> rebooted.

Acked-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

---

The created devices are not visible as the tmpfs is mounted over /dev
and are also never removed which not pretty and with unprivileged
containers an unexpected security quirk.

If someone wants a device visible they can add a manual autodev lxc hook
or a bind mount entry.

Also the code failed for devices in paths which don't exist (eg
/dev/$vg/$lv rather than the /dev/mapper version).

> ---
>  src/lxc-pve-prestart-hook | 21 ---------------------
>  1 file changed, 21 deletions(-)
> 
> diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
> index 1ba957f..46fee04 100755
> --- a/src/lxc-pve-prestart-hook
> +++ b/src/lxc-pve-prestart-hook
> @@ -81,29 +81,8 @@ __PACKAGE__->register_method ({
>  	    PVE::LXC::mountpoint_mount($mountpoint, $rootdir, $storage_cfg);
>  	};
>  
> -	my $setup_cgroup_device = sub {
> -	    my ($ms, $mountpoint) = @_;
> -
> -	    my $volid = $mountpoint->{volume};
> -	    return if !$volid || $volid !~ m|^/dev/.+|;
> -
> -	    my $path = PVE::LXC::mountpoint_mount_path($mountpoint, $storage_cfg);
> -
> -	    my (undef, undef, $mode, undef, undef, undef, $rdev) = stat($path);
> -	    if ($mode && S_ISBLK($mode) && $rdev) {
> -		my $major = int($rdev / 0x100);
> -		my $minor = $rdev % 0x100;
> -		if ($major != 7) { # must not be a loop device
> -		    PVE::Tools::run_command(['mknod', '-m', '666', "$rootdir$path", 'b', $major, $minor]);
> -		    PVE::LXC::write_cgroup_value("devices", $vmid, "devices.allow", "b ${major}:${minor} rwm");
> -		}
> -	    }
> -	};
> -
>  	PVE::LXC::foreach_mountpoint($conf, $setup_mountpoint);
>  
> -	PVE::LXC::foreach_mountpoint($conf, $setup_cgroup_device);
> -
>  	my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
>  	$lxc_setup->pre_start_hook();
>  	return undef;
> -- 
> 2.1.4
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list