[lxc] non-root, unpriv, network: "Failed to allocate new network namespace id" is irrelevant?

Skip to first unread message

Иван Присяжный

Dec 15, 2021, 7:32:35 AM12/15/21
to lxc-users
Hi all,

I am running unprivileged non-root containers (lxc 4.0.11:latest
head). Everything works well. But I see this message in a log:

   WARN start - start.c:lxc_spawn:1835 - Operation not permitted -
Failed to allocate new network namespace id

This message looks scary but if you look at the code, it actually
tries to create a netlink namespace (NEWNSID):

    ret = lxc_netns_set_nsid(handler->nsfd[LXC_NS_NET]);
    if (ret < 0)
        SYSWARN("Failed to allocate new network namespace id");

That must be equivalent AFAIU to:

    $ ip netns add blah

But this operation probably requires having root permissions to make a
shared mount point, besides having the right permissions for the path:

    mkdir("/var/run/netns", 0755) = -1 EACCES (Permission denied)
    mount("", "/var/run/netns", 0x55f1735bd91f, MS_REC|MS_SHARED,
NULL) = -1 EPERM (Operation not permitted)

For example:

    $ mount --make-shared /tmp/1
    mount: /tmp/1: must be superuser to use mount.

So, it seems to me, that it's impossible to create an ip netns if the
euid is non-root. Am I correct?

If I am correct about this, shall not we patch LXC not to try to call
lxc_netns_set_nsid() if it is running unpriv containers with euid !=

Related issue: https://github.com/lxc/lxc/issues/4045

-- Regards,
-- Ivan

Christian Brauner

Dec 16, 2021, 11:25:23 AM12/16/21
to Иван Присяжный, lxc-users
Allocating a network namespace id requires privileges in the owning user
namespace of the network namespace. All containers that don't drop
CAP_NET_ADMIN in their user namespace will be sufficiently privileged to
allocate a new network namespace id provided they also create a new
network namespace. So privileged (without user namespaces) and
unprivileged (with user namespaces) containers are able to make use of
network namespaces identifiers.

Additionally, it is not required to create any sort of mounts. Network
namespace id allocation is solely done through netlink.
The mounts you're looking at are created by the ip tool to persist
network namespaces. They are unrelated to network namespace ids.

So my bet is that you're dropping CAP_NET_ADMIN or sm.
Reply all
Reply to author
0 new messages