Someone filed a merge request on our proposed-migration hints in Ubuntu. They had noticed that a test which their package has, which is checking that the ownership on some device nodes in /dev
is root:root
, was failing. The code:
dev, err := DeviceFromPath("/dev/null")
assert.NoError(t, err)
assert.Equal(t, dev[0].Uid, uint32(0))
assert.Equal(t, dev[0].Gid, uint32(0))
is failing like:
Error: Not equal:
expected: 0xfffe
actual : 0x0
Ok, that seems like it’s worth looking into. I launched some VMs - to have a clean baseline state - and tried containers within them. Indeed this reproduces on focal (4.0.5) and bionic (3.0.3) hosts:
laney@raleigh> lxc launch --vm ubuntu:focal/amd64 lxd-test-vm
Creating lxd-test-vm
Starting lxd-test-vm
laney@raleigh> lxc shell lxd-test-vm
root@lxd-test-vm:~# sudo -u ubuntu -i
ubuntu@lxd-test-vm:~$ ls -l /dev/null # this is the vm host
crw-rw-rw- 1 root root 1, 3 Feb 22 09:58 /dev/null
ubuntu@lxd-test-vm:~$ lxd init # ... accept all defaults
ubuntu@lxd-test-vm:~$ lxc launch -e images:ubuntu/focal/amd64 images-ubuntu-focal-amd64
Creating images-ubuntu-focal-amd64
Starting images-ubuntu-focal-amd64
ubuntu@lxd-test-vm:~$ lxc launch -e images:fedora/33 images-fedora-33
Creating images-fedora-33
Starting images-fedora-33
ubuntu@lxd-test-vm:~$ lxc launch -e ubuntu:focal/amd64 ubuntu-focal-amd64
Creating ubuntu-focal-amd64
Starting ubuntu-focal-amd64
ubuntu@lxd-test-vm:~$ lxc shell images-ubuntu-focal-amd64
root@images-ubuntu-focal-amd64:~# ls -l /dev/null
crw-rw-rw- 1 nobody nogroup 1, 3 Feb 22 09:58 /dev/null
ubuntu@lxd-test-vm:~$ lxc shell images-fedora-33
[root@images-fedora-33 ~]# ls -l /dev/null
crw-rw-rw- 1 nobody nobody 1, 3 Feb 22 09:58 /dev/null
ubuntu@lxd-test-vm:~$ lxc shell ubuntu-focal-amd64
root@ubuntu-focal-amd64:~# ls -l /dev/null
crw-rw-rw- 1 nobody nogroup 1, 3 Feb 22 09:58 /dev/null
ubuntu@lxd-test-vm:~$ lxd --version
4.0.5
And it happens on a bionic host too…
root@images-ubuntu-focal-amd64:~# ls -l /dev/null
crw-rw-rw- 1 nobody nogroup 1, 3 Feb 22 10:11 /dev/null
ubuntu@multipass-test-vm-bionic:~$ lxd --version
3.0.3
Can you advise please - is this wrong? Maybe it’s always been like this and we’re only just noticing now because of this (new apparently) test. I’m not sure what guarantees you’re supposed to have about ownership of these device nodes on a Linux system. If root:root
is not something you should be assuming, I can advise that the MR submitter goes back to upstream and suggests removing this check.