Xen Dom0 detected as DomU when running inside LXC

[lesinigo]

When running the checker in an LXC container which is itself running inside a Xen Dom0, the script incorrectly thinks it is running inside a DomU.

The operating system is Ubuntu 16.04 LTS, fully updated, with its stock xen-hypervisor-4.6-amd64 and its linux-image-generic-hwe-16.04; current versions of the two are Xen 4.6.5-0ubuntu1.4 and Linux 4.13.0-38.43~16.04.1, checker version is reported as 0.36+ and is actually from commit 0eabd26.

When running the script on this system it correctly reports Running as a Xen PV DomU: NO and by extension NOT VULNERABLE (Xen Dom0s are safe and do not require PTI).

On the same system there are also some Ubuntu 16.04 LXC containers running (using lxc-2.0.8-0ubuntu1~16.04.2 and created with lxc-create -t download -n ${NAME} -- -d ubuntu -r xenial -a amd64), when running the same script inside one of those it reports Running as a Xen PV DomU: YES and then VULNERABLE (Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM, PVH mode, or the Xen hypervisor must have the Xen's own PTI patch), which is wrong because it is still inside the Dom0

[speed47]

Thanks for your report.

Do you have /proc/xen/capabilities inside the LXC container? That's how the script can tell apart between a domU and a dom0. If you do, could you post its contents here?

[lesinigo]

There is the /proc/xen directory inside the container but it is empty.

If it can help, I checked what facter 3.11.0 thinks about the same situation, and afaik it is also not able to differentiate between dom0 and domU when running inside a container. Here is its output from LXC-inside-dom0:

hypervisors => {
  xen => {
    context => "pv",
    privileged => false
  }
}
is_virtual => true
virtual => lxc

(note that it is not actually wrong, it's true that inside an LXC container you don't have the privileges of a dom0 and you cannot interact with the hypervisor, but it's not reporting if it is inside a dom0 or a domU)

and for comparison here is the same dom0, outside of LXC containers:

hypervisors => {
  xen => {
    context => "pv",
    privileged => true
  }
}
is_virtual => false
virtual => xen0
xen => {
  domains => [
    "Name",
    "Domain-0",
    "my_other_domU",
    "my_other_domU",
    "my_other_domU"
  ]
}

I am not even sure if there actually is any way of differentiating a dom0 from a domU from inside an LXC container. I don't currently have a "spare" domU to check it out, but will set up one with the same software (Ubuntu 16.04 and its LXC tooling with an Ubuntu 16.04 LXC container) as soon as time permits and I will try to compare the LXC-in-dom0 with the LXC-in-domU and see if there is any difference.

[speed47]

Interesting. It's probably not easy by design to guess that you're either in a dom0 or domU from inside a LXC, as it's also what containers are for : hiding host stuff from inside the container.

Maybe what could be done is detecting that we're inside an LXC, that there is /proc/xen, and just print a warning that we might be either on a dom0 or domU, and that to get proper results, one should run the script outside the container itself?

[lesinigo]

Yes, I'd definitely go with that solution: better to be on the safe side and not print potentially wrong information.

Inside LXC + /proc/xen exists = bail out, print a message and tell user to check from outside container.

Please do note that when running inside privileged containers or containers with some special capabilities this stuff could be different. I'll just admit that I don't have the interest nor the time to investigate further what happens in that case or in weirder ones (IMHO there's an unlimited level of "fancy" that you can get with containers if you really want to).