New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 625285 link

Starred by 2 users
Status: Verified
Owner:
dgreid@chromium.org
Closed: Aug 2016
Cc:
adlr@chromium.org
dgreid@chromium.org
ashishgaurav@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Feature



Sign in to add a comment

Allow libcontainer to run containers as non root

Project Member Reported by ashishgaurav@chromium.org, Jul 1 2016 
Allow libcontainer to run containers as non root
Project Member

Comment 1 by bugdroid1@chromium.org, Jul 16 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/998fd7d7b667ecb7fe06a2112975d16d229bf0b6

commit 998fd7d7b667ecb7fe06a2112975d16d229bf0b6
Author: Keshav Santhanam <ksanthanam@google.com>
Date: Tue Jul 12 20:33:00 2016

libcontainer: Add an option for cgroup parent directory

Applications running libcontainer as non-root cannot create
cgroups under the default directory. This commit allows the
user to specify a new cgroup parent directory under which to
create the new cgroups for the application. These parent
directories are expected to be created at startup and given
the correct permissions based on the user's UID.

BUG= chromium:625285 
TEST=Create directories /sys/fs/cgroup/{subsys}/containers
for each existing cgroup subsystem. Run libcontainer using
container_new_with_cgroup_parent, passing the argument
"containers". Verify that the correct cgroups are created.

Change-Id: Ia0b1025eaafa89e36727241388dc06fc60660c45
Reviewed-on: https://chromium-review.googlesource.com/360142
Commit-Ready: Dylan Reid <dgreid@chromium.org>
Tested-by: Keshav Santhanam <ksanthanam@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/998fd7d7b667ecb7fe06a2112975d16d229bf0b6/libcontainer/libcontainer.h
[modify] https://crrev.com/998fd7d7b667ecb7fe06a2112975d16d229bf0b6/libcontainer/container_cgroup.c
[modify] https://crrev.com/998fd7d7b667ecb7fe06a2112975d16d229bf0b6/libcontainer/libcontainer.c
[modify] https://crrev.com/998fd7d7b667ecb7fe06a2112975d16d229bf0b6/libcontainer/container_cgroup_unittest.c
[modify] https://crrev.com/998fd7d7b667ecb7fe06a2112975d16d229bf0b6/libcontainer/container_cgroup.h
[modify] https://crrev.com/998fd7d7b667ecb7fe06a2112975d16d229bf0b6/libcontainer/libcontainer_unittest.c

Comment 2 by ashishgaurav@chromium.org, Jul 16 2016

Status: Started (was: Untriaged)
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/268fa0354367c3c22a0536bfc86851801ff7bf5e

commit 268fa0354367c3c22a0536bfc86851801ff7bf5e
Author: Keshav Santhanam <ksanthanam@google.com>
Date: Thu Jul 14 16:59:24 2016

libcontainer: Only configure device cgroup if root

The CAP_SYS_ADMIN capability is needed to write to
the device cgroup files, and CAP_MKNOD is required
to call mknod. These capabilities are restricted to
root, so this commit checks that the user is root
before attempting to modify the device cgroup.

BUG= chromium:625285 
TEST=Run container as root and as non-root and verify
that the device cgroup modification is skipped in
the non-root case.

Change-Id: Id3b227023a92c09b025a2b2397b4f70ce90b3098
Reviewed-on: https://chromium-review.googlesource.com/361595
Commit-Ready: Keshav Santhanam <ksanthanam@google.com>
Tested-by: Keshav Santhanam <ksanthanam@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/268fa0354367c3c22a0536bfc86851801ff7bf5e/libcontainer/libcontainer.c
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/268fa0354367c3c22a0536bfc86851801ff7bf5e

commit 268fa0354367c3c22a0536bfc86851801ff7bf5e
Author: Keshav Santhanam <ksanthanam@google.com>
Date: Thu Jul 14 16:59:24 2016

libcontainer: Only configure device cgroup if root

The CAP_SYS_ADMIN capability is needed to write to
the device cgroup files, and CAP_MKNOD is required
to call mknod. These capabilities are restricted to
root, so this commit checks that the user is root
before attempting to modify the device cgroup.

BUG= chromium:625285 
TEST=Run container as root and as non-root and verify
that the device cgroup modification is skipped in
the non-root case.

Change-Id: Id3b227023a92c09b025a2b2397b4f70ce90b3098
Reviewed-on: https://chromium-review.googlesource.com/361595
Commit-Ready: Keshav Santhanam <ksanthanam@google.com>
Tested-by: Keshav Santhanam <ksanthanam@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/268fa0354367c3c22a0536bfc86851801ff7bf5e/libcontainer/libcontainer.c
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/268fa0354367c3c22a0536bfc86851801ff7bf5e

commit 268fa0354367c3c22a0536bfc86851801ff7bf5e
Author: Keshav Santhanam <ksanthanam@google.com>
Date: Thu Jul 14 16:59:24 2016

libcontainer: Only configure device cgroup if root

The CAP_SYS_ADMIN capability is needed to write to
the device cgroup files, and CAP_MKNOD is required
to call mknod. These capabilities are restricted to
root, so this commit checks that the user is root
before attempting to modify the device cgroup.

BUG= chromium:625285 
TEST=Run container as root and as non-root and verify
that the device cgroup modification is skipped in
the non-root case.

Change-Id: Id3b227023a92c09b025a2b2397b4f70ce90b3098
Reviewed-on: https://chromium-review.googlesource.com/361595
Commit-Ready: Keshav Santhanam <ksanthanam@google.com>
Tested-by: Keshav Santhanam <ksanthanam@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/268fa0354367c3c22a0536bfc86851801ff7bf5e/libcontainer/libcontainer.c

Comment 6 by dgreid@chromium.org, Aug 15 2016

Status: Verified (was: Started)

Sign in to add a comment