libvirt users - Dec 2020 - libvirt-lxc: Permission issue of /proc/net

Hi,
I've encountered a problem that some of /proc/net/ files can't be
accessed
in unprivileged containers, because it is owned by nobody:nogroup (-1:-1)
and have 440 permissions.
This exact issue was solved in LXC project by unsharing netns:
https://github.com/lxc/lxc/commit/5b1e83cbc498cd3edeaf13afa987d530299a35a7
. Maybe it could be similarly fixed on libvirt-lxc?
BR,
John H.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20201222/5262b3df/attachment.htm>

On Tue, Dec 22, 2020 at 07:14:23PM +0200, John Hurnett
wrote:
> Hi,
> I've encountered a problem that some of /proc/net/ files can't be
accessed
> in unprivileged containers, because it is owned by nobody:nogroup (-1:-1)
> and have 440 permissions.
> This exact issue was solved in LXC project by unsharing netns:
> https://github.com/lxc/lxc/commit/5b1e83cbc498cd3edeaf13afa987d530299a35a7
> . Maybe it could be similarly fixed on libvirt-lxc?
We already unshare netns when there is an <interface> in your XML
config for the container. Is that still leaving the permissions
issues ? If so maybe its an ordering issue for the unshare.

Regards,
Daniel
--
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|