[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: libvirt-lxc: Permission issue of /proc/net



Hi Daniel,
My XML has an <interface> section. According to documentation https://libvirt.org/drvlxc.html#securenetworking I have also tried with and without <privnet/> parameter, but still files under /proc/net is owned by user: nobody.
As might be expected there is no such problem in privileged containers, as root user is same as on host and files in /proc/net is then owned by root, but to follow best practices I would like to use unprivileged containers.
I've used Fedora 33 as host and container. Could you check if this is reproducible on your setup?

BR,
John

On Thu, Dec 24, 2020 at 12:21 PM Daniel P. Berrange <dan berrange com> wrote:
On Tue, Dec 22, 2020 at 07:14:23PM +0200, John Hurnett wrote:
> Hi,
> I've encountered a problem that some of /proc/net/ files can't be accessed
> in unprivileged containers, because it is owned by nobody:nogroup (-1:-1)
> and have 440 permissions.
> This exact issue was solved in LXC project by unsharing netns:
> https://github.com/lxc/lxc/commit/5b1e83cbc498cd3edeaf13afa987d530299a35a7
> . Maybe it could be similarly fixed on libvirt-lxc?

We already unshare netns when there is an <interface> in your XML
config for the container. Is that still leaving the permissions
issues ? If so maybe its an ordering issue for the unshare.

Regards,
Daniel
--
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]