libvirt-lxc: Permission issue of /proc/net
John Hurnett
john.hurnett at gmail.com
Thu Dec 24 21:22:18 UTC 2020
Hi Daniel,
My XML has an <interface> section. According to documentation
https://libvirt.org/drvlxc.html#securenetworking I have also tried with and
without <privnet/> parameter, but still files under /proc/net is owned by
user: nobody.
As might be expected there is no such problem in privileged containers, as
root user is same as on host and files in /proc/net is then owned by root,
but to follow best practices I would like to use unprivileged containers.
I've used Fedora 33 as host and container. Could you check if this is
reproducible on your setup?
BR,
John
On Thu, Dec 24, 2020 at 12:21 PM Daniel P. Berrange <dan at berrange.com>
wrote:
> On Tue, Dec 22, 2020 at 07:14:23PM +0200, John Hurnett wrote:
> > Hi,
> > I've encountered a problem that some of /proc/net/ files can't be
> accessed
> > in unprivileged containers, because it is owned by nobody:nogroup (-1:-1)
> > and have 440 permissions.
> > This exact issue was solved in LXC project by unsharing netns:
> >
> https://github.com/lxc/lxc/commit/5b1e83cbc498cd3edeaf13afa987d530299a35a7
> > . Maybe it could be similarly fixed on libvirt-lxc?
>
> We already unshare netns when there is an <interface> in your XML
> config for the container. Is that still leaving the permissions
> issues ? If so maybe its an ordering issue for the unshare.
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o-
> https://www.instagram.com/dberrange :|
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20201224/f7a2dc6b/attachment-0001.htm>
More information about the libvir-list
mailing list