unprivileged container: allow access to /proc/sys/net/core

[cheese2000]

Hi all!

I am trying to use libreswan 4.7 vpn software on a unprivileged Debian Bullseye container on ProxMox 7.2

Libreswan does not start because it wants to look at /proc/sys/net/core/xfrm_acq_expires
Note that the XFRM module is loaded on the host and that file is available in the host and in a privileged container.

Is there something I can change in the container config to make this file visible in the unprivileged container?
Or is this expected behavior for this specific setting in a unprivileged container?

Note that an older version of Libreswan 3.7 did work in a unprivileged container and didn't try to access that particular file.
This newer version of libreswan is trying to read it. So maybe this is something I need to ask the libreswan team.

Thanks

 

[Dunuin]

You checked that "nesting" is enabled under your LXCs Options -> Features?:

nesting=<boolean> (default = 0)
Allow nesting. Best used with unprivileged containers with additional id mapping. Note that this will expose procfs and sysfs contents of the host to the guest.

You might still need to tinker with user remapping that rights to give that LXCs user rights to access stuff in your /proc.

 

[cheese2000]

You checked that "nesting" is enabled under your LXCs Options -> Features?:

You might still need to tinker with user remapping that rights to give that LXCs user rights to access stuff in your /proc.

Yes, nesting is enabled for the unprivileged container:

(Sorry should have mentioned that in the first message)

#2022-10-19 container unprivileged=yes + nesting=yes
arch: amd64
cores: 4
features: nesting=1
hostname: [REDACTED]
memory: 4096
net0: [REDACTED]
net1: [REDACTED]
ostype: debian
rootfs: [REDACTED]
searchdomain: [REDACTED]
swap: 0
unprivileged: 1

> You might still need to tinker with user remapping that rights to give that LXCs user rights to access stuff in your /proc.

Any pointers to examples/documentation?

Maybe it is also worth mentioning that the contents of other folders under /proc/sys/net are not empty. E.g. /proc/sys/net/bridge/ and /proc/sys/net/ipv4/ lists a bunch of files

 

[Dunuin]

Who is owning that "xfrm_acq_expires" file when you run ls -la /proc/sys/net/core from host and guest? And what yre the file rights?
PVE remapps UIDs/GIDs 0-65535 to GID/UID 100000-165535. So for example the root user inside the LXC is reported as UID 0 but on the host it is actually a unprivileged user with UID 100000.

 

[cheese2000]

I was under the impression that having nesting=1 would expose the procfs and sysfs contents of the host to the guest.

It seems that in the container not all files are available in some of the subdirectories of /proc/sys/net/
The files in /proc/sys/net/bridge/ are accessible in the container, but /proc/sys/net/core/ is empty.
I am not seeing any obvious differences:

on the host I see the following:

$ ls -laF /proc/sys/net/
total 0
dr-xr-xr-x 1 root root 0 Jul  7 23:19 ./
dr-xr-xr-x 1 root root 0 Jul  7 23:18 ../
dr-xr-xr-x 1 root root 0 Oct 10 17:32 bridge/
dr-xr-xr-x 1 root root 0 Oct 10 17:21 core/
dr-xr-xr-x 1 root root 0 Jul  7 23:19 ipv4/
dr-xr-xr-x 1 root root 0 Jul  7 23:19 ipv6/
dr-xr-xr-x 1 root root 0 Oct 10 17:32 iw_cm/
dr-xr-xr-x 1 root root 0 Oct 10 17:32 mptcp/
dr-xr-xr-x 1 root root 0 Oct 10 17:32 netfilter/
dr-xr-xr-x 1 root root 0 Oct 10 17:32 unix/

$ ls -laF /proc/sys/net/core
total 0
dr-xr-xr-x 1 root root 0 Oct 10 17:21 ./
dr-xr-xr-x 1 root root 0 Jul  7 23:19 ../
-rw-r--r-- 1 root root 0 Oct 10 17:32 bpf_jit_enable
-rw------- 1 root root 0 Oct 10 17:32 bpf_jit_harden
-rw------- 1 root root 0 Oct 10 17:32 bpf_jit_kallsyms
-rw------- 1 root root 0 Oct 10 17:32 bpf_jit_limit
-rw-r--r-- 1 root root 0 Oct 10 17:32 busy_poll
-rw-r--r-- 1 root root 0 Oct 10 17:32 busy_read
-rw-r--r-- 1 root root 0 Oct 10 17:32 default_qdisc
-rw-r--r-- 1 root root 0 Oct 10 17:32 devconf_inherit_init_net
-rw-r--r-- 1 root root 0 Oct 10 17:32 dev_weight
-rw-r--r-- 1 root root 0 Oct 10 17:32 dev_weight_rx_bias
-rw-r--r-- 1 root root 0 Oct 10 17:32 dev_weight_tx_bias
-rw-r--r-- 1 root root 0 Oct 10 17:32 fb_tunnels_only_for_init_net
-rw-r--r-- 1 root root 0 Oct 10 17:32 flow_limit_cpu_bitmap
-rw-r--r-- 1 root root 0 Oct 10 17:32 flow_limit_table_len
-rw-r--r-- 1 root root 0 Oct 10 17:32 gro_normal_batch
-rw-r--r-- 1 root root 0 Oct 10 17:32 high_order_alloc_disable
-rw-r--r-- 1 root root 0 Oct 10 17:32 max_skb_frags
-rw-r--r-- 1 root root 0 Oct 10 17:32 message_burst
-rw-r--r-- 1 root root 0 Oct 10 17:32 message_cost
-rw-r--r-- 1 root root 0 Oct 10 17:32 netdev_budget
-rw-r--r-- 1 root root 0 Oct 10 17:32 netdev_budget_usecs
-rw-r--r-- 1 root root 0 Oct 10 17:32 netdev_max_backlog
-r--r--r-- 1 root root 0 Oct 10 17:32 netdev_rss_key
-rw-r--r-- 1 root root 0 Oct 10 17:32 netdev_tstamp_prequeue
-rw-r--r-- 1 root root 0 Oct 10 17:32 netdev_unregister_timeout_secs
-rw-r--r-- 1 root root 0 Oct 10 17:32 optmem_max
-rw-r--r-- 1 root root 0 Oct 10 17:32 rmem_default
-rw-r--r-- 1 root root 0 Oct 10 17:32 rmem_max
-rw-r--r-- 1 root root 0 Oct 10 17:32 rps_sock_flow_entries
-rw-r--r-- 1 root root 0 Oct 10 17:32 somaxconn
-rw-r--r-- 1 root root 0 Oct 10 17:32 tstamp_allow_data
-rw-r--r-- 1 root root 0 Oct 10 17:32 warnings
-rw-r--r-- 1 root root 0 Oct 10 17:32 wmem_default
-rw-r--r-- 1 root root 0 Oct 10 17:32 wmem_max
-rw-r--r-- 1 root root 0 Oct 10 17:21 xfrm_acq_expires
-rw-r--r-- 1 root root 0 Oct 10 17:32 xfrm_aevent_etime
-rw-r--r-- 1 root root 0 Oct 10 17:32 xfrm_aevent_rseqth
-rw-r--r-- 1 root root 0 Oct 10 17:32 xfrm_larval_drop

$ ls -laF /proc/sys/net/bridge/
total 0
dr-xr-xr-x 1 root root 0 Oct 10 17:32 ./
dr-xr-xr-x 1 root root 0 Jul  7 23:19 ../
-rw-r--r-- 1 root root 0 Oct 20 13:01 bridge-nf-call-arptables
-rw-r--r-- 1 root root 0 Oct 20 13:01 bridge-nf-call-ip6tables
-rw-r--r-- 1 root root 0 Oct 20 13:01 bridge-nf-call-iptables
-rw-r--r-- 1 root root 0 Oct 20 13:01 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root root 0 Oct 20 13:01 bridge-nf-filter-vlan-tagged
-rw-r--r-- 1 root root 0 Oct 20 13:01 bridge-nf-pass-vlan-input-dev

on the container I see the following:

# ls -laF /proc/sys/net/
total 0
dr-xr-xr-x 1 nobody nogroup 0 Oct 20 13:25 ./
dr-xr-xr-x 1 nobody nogroup 0 Oct 20 13:25 ../
dr-xr-xr-x 1 root   root    0 Oct 20 13:26 bridge/
dr-xr-xr-x 1 root   root    0 Oct 20 13:26 core/
dr-xr-xr-x 1 root   root    0 Oct 20 13:26 ipv4/
dr-xr-xr-x 1 root   root    0 Oct 20 13:26 ipv6/
dr-xr-xr-x 1 root   root    0 Oct 20 13:26 mptcp/
dr-xr-xr-x 1 root   root    0 Oct 20 13:26 netfilter/
dr-xr-xr-x 1 root   root    0 Oct 20 13:25 unix/

# ls -laF /proc/sys/net/core
total 0
dr-xr-xr-x 1 root   root    0 Oct 20 13:26 ./
dr-xr-xr-x 1 nobody nogroup 0 Oct 20 13:25 ../

# ls -laF /proc/sys/net/bridge/
total 0
dr-xr-xr-x 1 root   root    0 Oct 20 13:26 ./
dr-xr-xr-x 1 nobody nogroup 0 Oct 20 13:25 ../
-rw-r--r-- 1 root   root    0 Oct 20 13:27 bridge-nf-call-arptables
-rw-r--r-- 1 root   root    0 Oct 20 13:27 bridge-nf-call-ip6tables
-rw-r--r-- 1 root   root    0 Oct 20 13:27 bridge-nf-call-iptables
-rw-r--r-- 1 root   root    0 Oct 20 13:27 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root   root    0 Oct 20 13:27 bridge-nf-filter-vlan-tagged
-rw-r--r-- 1 root   root    0 Oct 20 13:27 bridge-nf-pass-vlan-input-dev

On the container I see this mount:
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime)

Why isn't /proc/sys/net/bridge/ empty?