是什么让容器内的 Firefox 在主机外部使用主机用户的 UID 启动一个新的 Firefox 窗口?对于LXC来说这不是很奇怪吗?

tag-icon tag-icon firefox lxc userns
是什么让容器内的 Firefox 在主机外部使用主机用户的 UID 启动一个新的 Firefox 窗口?对于LXC来说这不是很奇怪吗?

有人可以向我解释一下这种奇怪的行为吗:

我有一个无特权的 LXC 容器,里面有 Firefox。

如果 Firefox 在容器外部的主机上运行/usr/bin/firefox在容器内启动一个新的 Firefox 窗口外部在具有主机用户的 UID 的主机上。

如果 Firefox 没有在容器外部运行/usr/bin/firefox在容器内部启动 firefox,并使用容器用户的 (SUB)UID,就像它应该的那样。

反之亦然:如果 firefox 运行在容器内部(而不是在主机上),并且 firefox 在主机上启动,则启动的 firefox 具有容器用户的 UID。

?!?!那个怎么样 ?!?!

编辑:确认使用带有默认配置文件的默认非特权 Ubuntu 容器时会出现相同的问题。

编辑:在拱门论坛中问了同样的问题https://bbs.archlinux.org/viewtopic.php?pid=1622174#p1622174

config file:

lxc.devttydir = lxc 
lxc.pts = 1024
lxc.tty = 4 
lxc.cap.drop = mac_admin mac_override sys_time sys_module
lxc.pivotdir = lxc_putold
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.cgroup.devices.deny = a 
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm 
lxc.cgroup.devices.allow = c 1:5 rwm 
lxc.cgroup.devices.allow = c 1:7 rwm 
lxc.cgroup.devices.allow = c 5:0 rwm 
lxc.cgroup.devices.allow = c 5:1 rwm 
lxc.cgroup.devices.allow = c 5:2 rwm 
lxc.cgroup.devices.allow = c 1:8 rwm 
lxc.cgroup.devices.allow = c 1:9 rwm 
lxc.cgroup.devices.allow = c 136:* rwm 
lxc.cgroup.devices.allow = c 10:229 rwm 
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections   none bind,optional 0 0 
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.hook.mount = /usr/share/lxcfs/lxc.mount.hook
lxc.hook.post-stop = /usr/share/lxcfs/lxc.reboot.hook
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0 
lxc.cgroup.devices.allow = c 254:0 rm
lxc.cgroup.devices.allow = c 10:200 rwm 
lxc.cgroup.devices.allow = c 10:228 rwm 
lxc.cgroup.devices.allow = c 10:232 rwm 
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
lxc.devttydir =
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars  none bind,optional 0 0 
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 
lxc.arch = x86_64
lxc.cgroup.devices.allow = c 226:* rwm 
lxc.mount.entry = tmpfs tmp tmpfs defaults
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0

容器是这样启动的:

lxc-start -n c1 -F -f /path/to/above/conf -s 'lxc.id_map = u 0 100000 65536' -s 'lxc.id_map = g 0 100000 65536' -s 'lxc.rootfs = /path/to/rootfs' -s 'lxc.init_cmd = /usr/bin/bash'

编辑:发行版Arch Linux

$ uname -r
4.6.0-rc4-customGIT+

# lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

答案1

它连接到同一 X 显示器上正在运行的 Firefox 实例,并要求它打开一个新窗口。

当尝试在以下环境ssh -Y(甚至是另一台主机)启动 Firefox 时,可以观察到相同的行为。 (但是,su - SOME_USER由于某种原因,没有低于。这对我来说是一个谜。)

可以使用以下选项关闭此行为:

firefox --new-instance

相关内容