Setup /dev/pts instance

Without it e.g. screen does not work (it just was terminating after
right start).

slapns.py

@@ -144,7 +144,7 @@ def main():
         slappart = ""
     if not unshareonly:
         # create directories inside container
-        dirv = ["/proc", "/sys",
+        dirv = ["/proc", "/sys", "/dev", "/dev/pts",
                 "/bin", "/sbin", "/lib", "/lib64", "/usr/bin", "/usr/lib",
                 "/etc",
                 "/tmp", "/run",
@@ -212,6 +212,9 @@ def main():
     mount("none", slappart + "/tmp", "tmpfs")
     mount("none", slappart + "/run", "tmpfs")
 
+    # separate instance for pseudo terminals
+    mount("none", slappart + "/dev/pts", "devpts")
+
     if not unshareonly:
         # read-only bind mount bin, lib, ... from SR
         # FIXME stub: here we bind from base system for now

[Jérome Perrin]

This reminds me of painful experience updating from debian 7 to debian 9 where the upgrade did not set proper gid mount option for /dev/pts and interactive ssh session did not work. openssh also needs /dev/pts to have git tty (I understand now that it's because openssh must also be using the same glibc.openpty)

See this post for a few more details - note that there's a typo in the post,

Systemd mounts devpts with this option, so one way to fix/workaround is to remove the line about devpts in /etc/fstab and it will be solved after reboot. For this time, something like mount /dev/pts -o remount,gid=8.

it should read gid 5

so if I understand correctly, for this to work we need to either /dev/pts from parent namespace or mount it with proper gid option. Sharing with parent namespace looks OK, isn't it ?

[Kirill Smelkov]

@jerome, thanks for feedback. The reason this /dev/pts mounting was done was that because using /dev/pts from parent namespace was not working: since we are root in the user namespace, the kernel remaps all uid/gid not in our map to nobody/nogroup:

kirr@deco:~$ unshare -Umr
root@deco:~# ll /dev/pts/
итого 0
crw--w---- 1 root   nogroup 136, 0 окт 24 11:32 0
crw--w---- 1 root   nogroup 136, 1 окт 24 11:32 1
c--------- 1 nobody nogroup   5, 2 окт 24 11:12 ptmx

root@deco:~# ll -n /dev/pts/
итого 0
crw--w---- 1     0 65534 136, 0 окт 24 11:32 0
crw--w---- 1     0 65534 136, 1 окт 24 11:33 1

and then it does not work because glibc.openpty looks up gid(tty)=5 from /etc/groups and tries to chown to that gid.

Maybe we should indeed add gid=5 and other mounting options. I did this patch yesterday very quickly and only tested that uxterm/screen started to work from "root". (I needed this to be able to inspect a program running from another terminal and could not succedd making nsenter to work).

I will add a note to /dev/pts mounting pointing to your notes, so it is not lost and hopefully helps next time when we need to run screen from under uid!=0.

[Kirill Smelkov]

Notes added: 625f7f20.

[Kirill Smelkov]

(I'm short on time for other task now - if you happen to try this out - patches are welcome)

[Kirill Smelkov]

If /dev/pts is mounted anew, mounting with gid=5 and mode=0620 is the right thing to do. See explanation in https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=77356912e836 .