[lxd] [ubuntu focal] unprivileged container cannot get access to raw sockets

Druid · November 23, 2020, 9:58am

I installed lxd into Ubunti Focal on rock pi 4A. I got the latest image from here. I only installed snap and lxd from snap.
When I create an unprivileged container it cannot use raw sockets. Lxd developres suggest for a similar issue with a custom Nvidia Tegra kernel that:

what could be causing the issue and he downloaded the Tegra custom kernel source and tracked the issue down to what appears to be a bug that has been introduced into the custom kernel. When opening raw sockets, rather than checking the namespace capabilities (which it does in the vanilla kernel) it is checking the global capabilities in the root namespace. And as the container is running unprivileged it does not have global CAP_NET_RAW capability and fails.

See discussion here.
Could it be a case for rock custom kernel too?

Druid · November 25, 2020, 2:42pm

If someone can reproduce the same on the latest ubuntu-focal image I will appreciate it. To test it the following commands should be executed:

Install snap
sudo apt install snapd
Add rock to lxd group
sudo usermod --append --groups lxd rock
Init lxd with all defaults
lxd init
Create alpine container
lxc launch images:alpine/3.10 c1
Try to ping inside alpine
lxc exec c1 -- ping 127.0.0.1
You should get the following
PING 127.0.0.1 (127.0.0.1): 56 data bytes ping: permission denied (are you root?)

I think radxa custom kernel also doesn’t correctly treat capabilities similar to Tegra custom kernel. But I don’t have experience in Linux kernel development so I cannot check that.
@radxa Are kernel 4.4.154-111-rockchip-g39b306a41b2d sources available somewhere in git?

Druid · December 8, 2020, 4:25pm

So it is possible to make lxc containers work with radxa kernel but only in privileged mode.
lxc profile copy default privileged
lxc profile edit privileged
Make profile privileged

config:
  security.privileged: "true"
...

Assign profile to a container
lxc profile add your_container_name privileged

It looks like the problem is in af_inet.c

Instead of capable(CAP_NET_RAW) this should be used ns_capable(net->user_ns, CAP_NET_RAW) in inet_create