test: add integration and smoke tests (#4)
This commit is contained in:
JY Tan
@@ -1,5 +1,82 @@
|
||||
# Troubleshooting
|
||||
|
||||
## "bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted" (Linux)
|
||||
|
||||
This error occurs when fence tries to create a network namespace but the environment lacks the `CAP_NET_ADMIN` capability. This is common in:
|
||||
|
||||
- **Docker containers** (unless run with `--privileged` or `--cap-add=NET_ADMIN`)
|
||||
- **GitHub Actions** and other CI runners
|
||||
- **Ubuntu 24.04+** with restrictive AppArmor policies
|
||||
- **Kubernetes pods** without elevated security contexts
|
||||
|
||||
**What happens now:**
|
||||
|
||||
Fence automatically detects this limitation and falls back to running **without network namespace isolation**. The sandbox still provides:
|
||||
|
||||
- Filesystem restrictions (read-only root, allowWrite paths)
|
||||
- PID namespace isolation
|
||||
- Seccomp syscall filtering
|
||||
- Landlock (if available)
|
||||
|
||||
**What's reduced:**
|
||||
|
||||
- Network isolation via namespace is skipped
|
||||
- The proxy-based domain filtering still works (via `HTTP_PROXY`/`HTTPS_PROXY`)
|
||||
- But programs that bypass proxy env vars won't be network-isolated
|
||||
|
||||
**To check if your environment supports network namespaces:**
|
||||
|
||||
```bash
|
||||
fence --linux-features
|
||||
```
|
||||
|
||||
Look for "Network namespace (--unshare-net): true/false"
|
||||
|
||||
**Solutions if you need full network isolation:**
|
||||
|
||||
1. **Run with elevated privileges:**
|
||||
|
||||
```bash
|
||||
sudo fence <command>
|
||||
```
|
||||
|
||||
2. **In Docker, add capability:**
|
||||
|
||||
```bash
|
||||
docker run --cap-add=NET_ADMIN ...
|
||||
```
|
||||
|
||||
3. **In GitHub Actions**, this typically isn't possible without self-hosted runners with elevated permissions.
|
||||
|
||||
4. **On Ubuntu 24.04+**, you may need to modify AppArmor profiles (see [Ubuntu bug 2069526](https://bugs.launchpad.net/bugs/2069526)).
|
||||
|
||||
## "bwrap: setting up uid map: Permission denied" (Linux)
|
||||
|
||||
This error occurs when bwrap cannot create user namespaces. This typically happens when:
|
||||
|
||||
- The `uidmap` package is not installed
|
||||
- `/etc/subuid` and `/etc/subgid` are not configured for your user
|
||||
- bwrap is not setuid
|
||||
|
||||
**Quick fix (if you have root access):**
|
||||
|
||||
```bash
|
||||
# Install uidmap
|
||||
sudo apt install uidmap # Debian/Ubuntu
|
||||
|
||||
# Make bwrap setuid
|
||||
sudo chmod u+s $(which bwrap)
|
||||
```
|
||||
|
||||
**Or configure subuid/subgid for your user:**
|
||||
|
||||
```bash
|
||||
echo "$(whoami):100000:65536" | sudo tee -a /etc/subuid
|
||||
echo "$(whoami):100000:65536" | sudo tee -a /etc/subgid
|
||||
```
|
||||
|
||||
On most systems with package-manager-installed bwrap, this error shouldn't occur. If it does, your system may have non-standard security policies.
|
||||
|
||||
## "curl: (56) CONNECT tunnel failed, response 403"
|
||||
|
||||
This usually means:
|
||||
|
||||
Reference in New Issue
Block a user