Hi Daniel,
My XML has an <interface> section. According to documentation https://libvirt.org/drvlxc.html#securenetworking I have also tried with and without <privnet/> parameter
As might be expected there is no such problem in privileged containers, as root user is same as on host and files in /proc/net is then owned by root, but to follow best practices I would like to use unprivileged containers., but still files under /proc/net is owned by user: nobody.I've used Fedora 33 as host and container. Could you check if this is reproducible on your setup?
BR,
John
On Thu, Dec 24, 2020 at 12:21 PM Daniel P. Berrange <dan@xxxxxxxxxxxx> wrote:
On Tue, Dec 22, 2020 at 07:14:23PM +0200, John Hurnett wrote:
> Hi,
> I've encountered a problem that some of /proc/net/ files can't be accessed
> in unprivileged containers, because it is owned by nobody:nogroup (-1:-1)
> and have 440 permissions.
> This exact issue was solved in LXC project by unsharing netns:
> https://github.com/lxc/lxc/commit/5b1e83cbc498cd3edeaf13afa987d530299a35a7
> . Maybe it could be similarly fixed on libvirt-lxc?
We already unshare netns when there is an <interface> in your XML
config for the container. Is that still leaving the permissions
issues ? If so maybe its an ordering issue for the unshare.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
