Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3429

Errors about /proc/net symlinks in unprivileged LXC containers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: (None)
    • Resolution: Unresolved
    • Affects Version/s: 3.15.2
    • Fix Version/s: None
    • Component/s: cf-agent
    • Labels:
      None

      Description

      When running an agent in an unprivileged LXC container (ubuntu 20 container on ubuntu 20 host in my case), I get:

         error: Cannot follow symlink '/proc/net/netstat'; it is not owned by root or the user running this process, and the                                       target owner and/or group differs from that of the symlink itself.
         error: Cannot follow symlink '/proc/net/route'; it is not owned by root or the user running this process, and the ta                                      rget owner and/or group differs from that of the symlink itself.
         error: Cannot follow symlink '/proc/net/snmp6'; it is not owned by root or the user running this process, and the ta                                      rget owner and/or group differs from that of the symlink itself.
         error: Cannot follow symlink '/proc/net/ipv6_route'; it is not owned by root or the user running this process, and t                                      he target owner and/or group differs from that of the symlink itself.
         error: Cannot follow symlink '/proc/net/if_inet6'; it is not owned by root or the user running this process, and the                                       target owner and/or group differs from that of the symlink itself.
         error: Cannot follow symlink '/proc/net/dev'; it is not owned by root or the user running this process, and the targ                                      et owner and/or group differs from that of the symlink itself.
      

      This happens because /proc/net is made of symlinks not owned by root:

      # ls -ahl /proc
      [...]
      lrwxrwxrwx   1 nobody          nogroup    8 Sep 28 13:54 net -> self/net
      [...]
      lrwxrwxrwx   1 nobody          nogroup    0 Sep 28 13:51 self -> 2607
      [...]
      dr-xr-xr-x   9 root            root       0 Sep 28 13:57 2607
      [...]
      

      We could maybe add a special exception in symlink checks as /proc/net is controlled by the kernel and not writable anyway.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              amousset Alexis Mousset
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Summary Panel