lxd icon indicating copy to clipboard operation
lxd copied to clipboard
verified publisher icon canonical

fdb is not remove inside from unprivileged container

Open ne-vlezay80 opened this issue 1 year ago • 3 comments

Required information

  • Distribution: devuan
  • Distribution version: 5.0
  • The output of "snap list --all lxd core20 core22 core24 snapd":
  • The output of "lxc info" or if that fails:
    • Kernel version: 6.1.0-18-rt-amd64
    • LXC version: 5.0.2
    • LXD version: 5.0.2
    • Storage backend in use: default

Issue description

If attept remove fdb entry from unprivileged container, getting operation not permitted error from unprivileged containet

Steps to reproduce

  1. lxc exec test2 sh
  2. run bridge fdb delete 3e:9a:7d:d6:15:91 dev vxlan10 dst 192.168.80.3

Information to attach

  • [ ] Any relevant kernel output (dmesg)
  • [ ] Container log (lxc info NAME --show-log)
  • [ ] Container configuration (lxc config show NAME --expanded)
  • [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)
  • [ ] Output of the client with --debug
  • [ ] Output of the daemon with --debug (alternatively output of lxc monitor while reproducing the issue)

root@rvdevel:/home/user# lxc exec test3 sh manualy remove fdb entry from bridge or vxlan device: ~ # bridge fdb delete 3e:9a:7d:d6:15:91 dev vxlan10 dst 192.168.80.3 RTNETLINK answers: Operation not permitted or frr:

Mar  2 01:22:24 test3 daemon.debug zebra[368]: [J87BH-XW5PP] netlink_route_multipath_msg_encode: 172.30.255.2/32 nhg_id is 21
Mar  2 01:22:24 test3 daemon.debug zebra[368]: [HYEHE-CQZ9G] nl_batch_send: netlink-dp (NS 0), batch size=104, msg cnt=2
Mar  2 01:22:26 test3 daemon.debug zebra[368]: [KMXEB-K771Y] netlink_parse_info: netlink-listen (NS 0) type RTM_NEWNEIGH(28), len=76, seq=0, pid=0
Mar  2 01:22:26 test3 daemon.debug zebra[368]: [TDS34-MNEJW]     Neighbor Entry received is not on a VLAN or a BRIDGE, ignoring
Mar  2 01:22:26 test3 daemon.debug zebra[368]: [KKAC1-JMWTB] Rx RTM_NEWNEIGH family ipv4 IF eth0(18) vrf default(0) IP 192.168.80.3 MAC 00:16:3e:13:8c:0b state 0x2 flags 0x0 ext_flags 0x0
Mar  2 01:22:35 test3 daemon.debug zebra[368]: [HYEHE-CQZ9G] nl_batch_send: netlink-dp (NS 0), batch size=64, msg cnt=1
Mar  2 01:22:35 test3 daemon.debug zebra[368]: [MQ5AP-2S1F5] netlink-dp (NS 0) error: Operation not permitted, type=RTM_DELNEIGH(29), seq=85, pid=2549740416
Mar  2 01:22:35 test3 daemon.debug zebra[368]: [QTT8V-3ZQ34] nl_batch_read_resp: netlink error message seq=85

ne-vlezay80 avatar Mar 02 '24 01:03 ne-vlezay80

@mihalicyn is this something we would expect not to be possible from inside an unprivileged container?

tomponline avatar Mar 05 '24 08:03 tomponline

@mihalicyn is this something we would expect not to be possible from inside an unprivileged container?

yes

ne-vlezay80 avatar Mar 05 '24 14:03 ne-vlezay80

OK thanks for confirmation.

tomponline avatar Mar 05 '24 19:03 tomponline