Permissions of /dev/zero

5 views
Skip to first unread message

Oliver Schad

unread,
May 19, 2021, 5:48:40 AMMay 19
to lxc-...@lists.linuxcontainers.org
Hello everybody,

I'm struggling with LXC together with a version of Apache Webserver in
an unprivileged container: the version of apache I have wants to
open /dev/zero rw - that doesn't sound very intelligent, however it
refuses to start without permissions to that.

I'm using today LXD version 3.23

~# ls -l /dev/zero
cr--r--r-- 1 nobody nogroup 1, 5 May 13 23:19 /dev/zero
~# mount | grep zero
udev on /dev/zero type devtmpfs
(rw,nosuid,relatime,size=16464000k,nr_inodes=4116000,mode=755)

I've tried

lxc.cgroup.devices.allow = c 1:5 rw

That doesn't work. Following is set:

lxc.autodev = 1

So what is the way to change permissions of files, which are mounted by
LXC itself?

Best Regards
Oli

--
Automatic-Server AG •••••
Oliver Schad
Geschäftsführer
Turnerstrasse 2
9000 St. Gallen | Schweiz

www.automatic-server.com | oliver...@automatic-server.com
Tel: +41 71 511 31 11 | Mobile: +41 76 330 03 47

Serge E. Hallyn

unread,
May 19, 2021, 9:28:23 AMMay 19
to Oliver Schad, lxc-...@lists.linuxcontainers.org
On Wed, May 19, 2021 at 11:48:29AM +0200, Oliver Schad wrote:
> Hello everybody,
>
> I'm struggling with LXC together with a version of Apache Webserver in
> an unprivileged container: the version of apache I have wants to
> open /dev/zero rw - that doesn't sound very intelligent, however it
> refuses to start without permissions to that.
>
> I'm using today LXD version 3.23
>
> ~# ls -l /dev/zero
> cr--r--r-- 1 nobody nogroup 1, 5 May 13 23:19 /dev/zero
> ~# mount | grep zero
> udev on /dev/zero type devtmpfs
> (rw,nosuid,relatime,size=16464000k,nr_inodes=4116000,mode=755)
>
> I've tried
>
> lxc.cgroup.devices.allow = c 1:5 rw
>
> That doesn't work. Following is set:
>
> lxc.autodev = 1
>
> So what is the way to change permissions of files, which are mounted by
> LXC itself?

They should just be bind mounts from the host devices. What is
/dev/zero on your host?

In my container here, I have:

ubuntu@mail:~$ ls -l /dev/null
crw-rw-rw- 1 nobody nogroup 1, 3 May 12 17:40 /dev/null

-serge

Oliver Schad

unread,
May 19, 2021, 3:16:02 PMMay 19
to lxc-...@lists.linuxcontainers.org
Hi Serge,

On Wed, 19 May 2021 08:28:21 -0500
"Serge E. Hallyn" <se...@hallyn.com> wrote:

> On Wed, May 19, 2021 at 11:48:29AM +0200, Oliver Schad wrote:
> > ~# ls -l /dev/zero
> > cr--r--r-- 1 nobody nogroup 1, 5 May 13 23:19 /dev/zero
[...]
> In my container here, I have:
>
> ubuntu@mail:~$ ls -l /dev/null
> crw-rw-rw- 1 nobody nogroup 1, 3 May 12 17:40 /dev/null

/dev/null is correct, rw. But /dev/zero not. The first one is for
writing designed, AFAIR the latter for reading.

But from my understanding, writing to /dev/zero should behave
like /dev/null, even if it doesn't sound very intuitive.

https://en.wikipedia.org/wiki//dev/zero

Serge E. Hallyn

unread,
May 19, 2021, 11:06:48 PMMay 19
to Oliver Schad, lxc-...@lists.linuxcontainers.org
On Wed, May 19, 2021 at 09:15:52PM +0200, Oliver Schad wrote:
> Hi Serge,
>
> On Wed, 19 May 2021 08:28:21 -0500
> "Serge E. Hallyn" <se...@hallyn.com> wrote:
>
> > On Wed, May 19, 2021 at 11:48:29AM +0200, Oliver Schad wrote:
> > > ~# ls -l /dev/zero
> > > cr--r--r-- 1 nobody nogroup 1, 5 May 13 23:19 /dev/zero
> [...]
> > In my container here, I have:
> >
> > ubuntu@mail:~$ ls -l /dev/null
> > crw-rw-rw- 1 nobody nogroup 1, 3 May 12 17:40 /dev/null
>
> /dev/null is correct, rw. But /dev/zero not. The first one is for
> writing designed, AFAIR the latter for reading.
>
> But from my understanding, writing to /dev/zero should behave
> like /dev/null, even if it doesn't sound very intuitive.
>
> https://en.wikipedia.org/wiki//dev/zero

If you look at the kernel source, you have

853 #define zero_lseek null_lseek
854 #define full_lseek null_lseek
855 #define write_zero write_null

so don't let interpretations of the names bother you :)

-serge

Serge E. Hallyn

unread,
May 19, 2021, 11:12:26 PMMay 19
to Oliver Schad, lxc-...@lists.linuxcontainers.org
On Wed, May 19, 2021 at 09:15:52PM +0200, Oliver Schad wrote:
> Hi Serge,
>
> On Wed, 19 May 2021 08:28:21 -0500
> "Serge E. Hallyn" <se...@hallyn.com> wrote:
>
> > On Wed, May 19, 2021 at 11:48:29AM +0200, Oliver Schad wrote:
> > > ~# ls -l /dev/zero
> > > cr--r--r-- 1 nobody nogroup 1, 5 May 13 23:19 /dev/zero
> [...]
> > In my container here, I have:
> >
> > ubuntu@mail:~$ ls -l /dev/null
> > crw-rw-rw- 1 nobody nogroup 1, 3 May 12 17:40 /dev/null
>
> /dev/null is correct, rw. But /dev/zero not. The first one is for

serge@sl ~$ ls -l /dev/zero
crw-rw-rw- 1 root root 1, 5 May 12 12:40 /dev/zero

You started by asking :

> So what is the way to change permissions of files, which are mounted by
> LXC itself?

As I said, they are bind mounts from the host, so you
have to change the permissions on the host.

Oliver Schad

unread,
May 20, 2021, 4:35:54 AMMay 20
to lxc-...@lists.linuxcontainers.org
On Wed, 19 May 2021 22:12:24 -0500
"Serge E. Hallyn" <se...@hallyn.com> wrote:

> As I said, they are bind mounts from the host, so you
> have to change the permissions on the host.

Ok, that is a layer 8 problem: on one container hypervisor was a
manual change on that device for whatever reason. I've checked by
accident exactly that one and reviewed a container on another host.

So you're right, the problem was on the host itself and we're using
mdev instead of udev, because we use s6, instead of upstart/systemd. We
fixed that inside of the mdev configuration.

Thank you for the hint.

Oliver Schad

unread,
May 20, 2021, 4:53:15 AMMay 20
to lxc-...@lists.linuxcontainers.org
On Wed, 19 May 2021 22:06:46 -0500
"Serge E. Hallyn" <se...@hallyn.com> wrote:

> > But from my understanding, writing to /dev/zero should behave
> > like /dev/null, even if it doesn't sound very intuitive.
> >
> > https://en.wikipedia.org/wiki//dev/zero
>
> If you look at the kernel source, you have
>
> 853 #define zero_lseek null_lseek
> 854 #define full_lseek null_lseek
> 855 #define write_zero write_null
>
> so don't let interpretations of the names bother you :)

Great, thanks for the research!
Reply all
Reply to author
Forward
0 new messages