Project

General

Custom queries

Profile

Actions

Bug #15636

closed

Errors with Rudder agent on unprivileged containers (LXC)

Added by Stefan Schmitt almost 6 years ago. Updated about 2 years ago.

Status:
Released
Priority:
N/A
Category:
Agent
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
I dislike using that feature
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Priority:
97
Name check:
To do
Fix check:
To do
Regression:
No

Description

If you are using rudder agent on an unprivileged container you get the following errors on rudder agent update or rudder agent run :

Version: Rudder agent 5.0.12-stretch0
running on LXC Container within Proxmox VE hypervisor

   error: Cannot follow symlink '/proc/net/netstat'; it is not owned by root or the user running this process, and the                                       target owner and/or group differs from that of the symlink itself.
   error: Cannot follow symlink '/proc/net/route'; it is not owned by root or the user running this process, and the ta                                      rget owner and/or group differs from that of the symlink itself.
   error: Cannot follow symlink '/proc/net/snmp6'; it is not owned by root or the user running this process, and the ta                                      rget owner and/or group differs from that of the symlink itself.
   error: Cannot follow symlink '/proc/net/ipv6_route'; it is not owned by root or the user running this process, and t                                      he target owner and/or group differs from that of the symlink itself.
   error: Cannot follow symlink '/proc/net/if_inet6'; it is not owned by root or the user running this process, and the                                       target owner and/or group differs from that of the symlink itself.
   error: Cannot follow symlink '/proc/net/dev'; it is not owned by root or the user running this process, and the targ                                      et owner and/or group differs from that of the symlink itself.
Actions #2

Updated by Alexis Mousset almost 5 years ago

# ls -ahl /proc
[...]
lrwxrwxrwx   1 nobody          nogroup            8 Sep 28 13:54 net -> self/net
[...]
lrwxrwxrwx   1 nobody          nogroup            0 Sep 28 13:51 self -> 2607
[...]
dr-xr-xr-x   9 root            root               0 Sep 28 13:57 2607
[...]
Actions #8

Updated by Mathias B. over 4 years ago

Still an issue on Rudder agent version 6.2.0~beta1 on Debian 10 (buster), on an unprivilegied LXC container running on Proxmox.

Output when running rudder agent update:

error: Cannot follow symlink '/proc/net/netstat'; it is not owned by root or the user running this process, and the target owner and/or group differs from that of the symlink itself.
error: Cannot follow symlink '/proc/net/route'; it is not owned by root or the user running this process, and the target owner and/or group differs from that of the symlink itself.
error: Cannot follow symlink '/proc/net/snmp6'; it is not owned by root or the user running this process, and the target owner and/or group differs from that of the symlink itself.
error: Cannot follow symlink '/proc/net/ipv6_route'; it is not owned by root or the user running this process, and the target owner and/or group differs from that of the symlink itself.
error: Cannot follow symlink '/proc/net/if_inet6'; it is not owned by root or the user running this process, and the target owner and/or group differs from that of the symlink itself.
error: Cannot follow symlink '/proc/net/dev'; it is not owned by root or the user running this process, and the target owner and/or group differs from that of the symlink itself.

Output of ls -l /proc:

...
lrwxrwxrwx 1 nobody nogroup 8 Nov 11 19:22 net -> self/net
...
lrwxrwxrwx 1 nobody nogroup 0 Nov 11 17:24 self -> 22206
...
dr-xr-xr-x 9 root root 0 Nov 11 19:22 22206
...
rudder agent health returns "OK".
Actions #27

Updated by Stefan Schmitt about 3 years ago

Still an issue on Rudder agent version 7.1.1 on Debian 11 (bullseye), on an unprivilegied LXC container running on Proxmox.

Actions #28

Updated by Nicolas CHARLES about 3 years ago

It still happens, and makes the "rudder agent update" command output the error message

error: Rudder agent policies could not be updated.

Actions #29

Updated by Alexis Mousset about 3 years ago

I'll work on this one next week or the following.

Actions #33

Updated by Benoît PECCATTE over 2 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2719
Actions #34

Updated by Benoît PECCATTE about 2 years ago

  • Pull Request changed from https://github.com/Normation/rudder-packages/pull/2719 to https://github.com/Normation/rudder-packages/pull/2727
Actions #36

Updated by Benoît PECCATTE about 2 years ago

  • Status changed from Pending technical review to Pending release
Actions #37

Updated by Vincent MEMBRÉ about 2 years ago

  • Status changed from Pending release to Released
  • Priority changed from 96 to 97

This bug has been fixed in Rudder 7.2.7 and 7.3.2 which were released today.

Actions

Also available in: Atom PDF