Device node ownership guarantees

LXD
1

Someone filed a merge request on our proposed-migration hints in Ubuntu. They had noticed that a test which their package has, which is checking that the ownership on some device nodes in /dev is root:root, was failing. The code:

dev, err := DeviceFromPath("/dev/null")
assert.NoError(t, err)
assert.Equal(t, dev[0].Uid, uint32(0))
assert.Equal(t, dev[0].Gid, uint32(0))

is failing like:

Error:      	Not equal: 
            	expected: 0xfffe
            	actual  : 0x0

Ok, that seems like it’s worth looking into. I launched some VMs - to have a clean baseline state - and tried containers within them. Indeed this reproduces on focal (4.0.5) and bionic (3.0.3) hosts:

laney@raleigh> lxc launch --vm ubuntu:focal/amd64 lxd-test-vm
Creating lxd-test-vm
Starting lxd-test-vm                        
laney@raleigh> lxc shell lxd-test-vm
root@lxd-test-vm:~# sudo -u ubuntu -i
ubuntu@lxd-test-vm:~$ ls -l /dev/null  # this is the vm host
crw-rw-rw- 1 root root 1, 3 Feb 22 09:58 /dev/null

ubuntu@lxd-test-vm:~$ lxd init # ... accept all defaults
ubuntu@lxd-test-vm:~$ lxc launch -e images:ubuntu/focal/amd64 images-ubuntu-focal-amd64
Creating images-ubuntu-focal-amd64
Starting images-ubuntu-focal-amd64          
ubuntu@lxd-test-vm:~$ lxc launch -e images:fedora/33 images-fedora-33
Creating images-fedora-33
Starting images-fedora-33                   
ubuntu@lxd-test-vm:~$ lxc launch -e ubuntu:focal/amd64 ubuntu-focal-amd64
Creating ubuntu-focal-amd64
Starting ubuntu-focal-amd64                 

ubuntu@lxd-test-vm:~$ lxc shell images-ubuntu-focal-amd64
root@images-ubuntu-focal-amd64:~# ls -l /dev/null
crw-rw-rw- 1 nobody nogroup 1, 3 Feb 22 09:58 /dev/null

ubuntu@lxd-test-vm:~$ lxc shell images-fedora-33
[root@images-fedora-33 ~]# ls -l /dev/null
crw-rw-rw- 1 nobody nobody 1, 3 Feb 22 09:58 /dev/null

ubuntu@lxd-test-vm:~$ lxc shell ubuntu-focal-amd64
root@ubuntu-focal-amd64:~# ls -l /dev/null
crw-rw-rw- 1 nobody nogroup 1, 3 Feb 22 09:58 /dev/null

ubuntu@lxd-test-vm:~$ lxd --version
4.0.5

And it happens on a bionic host too…

root@images-ubuntu-focal-amd64:~# ls -l /dev/null
crw-rw-rw- 1 nobody nogroup 1, 3 Feb 22 10:11 /dev/null

ubuntu@multipass-test-vm-bionic:~$ lxd --version
3.0.3

Can you advise please - is this wrong? Maybe it’s always been like this and we’re only just noticing now because of this (new apparently) test. I’m not sure what guarantees you’re supposed to have about ownership of these device nodes on a Linux system. If root:root is not something you should be assuming, I can advise that the MR submitter goes back to upstream and suggests removing this check.

2

@brauner @stgraber please could you look at this, thanks.

1 Like
3

This is perfectly normal. Basically, unprivileged containers can’t create device any devices nodes even harmless ones such as /dev/null, /dev/zero etc. which is why container runtimes bind-mount the host nodes into the container. But since host root isn’t mapped inside the container the owner is shown as nobody:nogroup. If you look at the output from findmnt inside the container you’ll see the bind-mounted devices:

| |-/dev/full                         udev[/full]                                    devtmpfs    rw,nosuid,noexec,relatime,size=8017608k,nr_inodes=2004402,mode=755
| |-/dev/null                         udev[/null]                                    devtmpfs    rw,nosuid,noexec,relatime,size=8017608k,nr_inodes=2004402,mode=755
| |-/dev/random                       udev[/random]                                  devtmpfs    rw,nosuid,noexec,relatime,size=8017608k,nr_inodes=2004402,mode=755
| |-/dev/tty                          udev[/tty]                                     devtmpfs    rw,nosuid,noexec,relatime,size=8017608k,nr_inodes=2004402,mode=755
| |-/dev/urandom                      udev[/urandom]                                 devtmpfs    rw,nosuid,noexec,relatime,size=8017608k,nr_inodes=2004402,mode=755
| |-/dev/zero                         udev[/zero]                                    devtmpfs    rw,nosuid,noexec,relatime,size=8017608k,nr_inodes=2004402,mode=755
| |-/dev/console                      devpts[/33]                                    devpts      rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
1 Like
4

And yes, that has been like that forever. :slight_smile:

5

Thanks, Christian!