Summary
In containerized Kubernetes deployments, reading log files from /var/log/containers/ fails with a path escapes from parent error, even when the directory is included in AllowedPaths.
Root Cause
On Kubernetes nodes, /var/log/containers/*.log files are symlinks pointing into /var/log/pods/...:
/var/log/containers/some-pod_namespace_container-<hash>.log -> /var/log/pods/.../0.log
rshell's AllowedPaths sandbox is backed by Go's os.Root / openat syscall, which rejects symlinks whose targets escape the configured root. Since the symlink target (/var/log/pods/...) escapes the root set to e.g. /host/var/log, the read fails.
Error
cat: /host/var/log/containers/<pod-name>.log: openat <pod-name>.log: path escapes from parent
Observed Behavior
- Reading files from
/var/log/pods/ works fine (no symlinks involved).
- Reading files from
/var/log/containers/ fails — these are symlinks into /var/log/pods/.
- Adding a second allowed root (e.g.
/var/log) does not resolve the issue: os.Root cannot follow a symlink from one root into another.
Expected Behavior
Log files in /var/log/containers/ should be readable when the directory is within AllowedPaths, since the symlink targets ultimately resolve to files on the same node filesystem.
Additional Notes
ls does not display symlink targets (-> destination), making this hard to diagnose from inside the shell. Improving ls -l to show symlink info would help operators debug this class of issue.- The underlying general problem of symlinks crossing allowed-path roots is tracked separately.
Summary
In containerized Kubernetes deployments, reading log files from
/var/log/containers/fails with apath escapes from parenterror, even when the directory is included inAllowedPaths.Root Cause
On Kubernetes nodes,
/var/log/containers/*.logfiles are symlinks pointing into/var/log/pods/...:rshell's
AllowedPathssandbox is backed by Go'sos.Root/openatsyscall, which rejects symlinks whose targets escape the configured root. Since the symlink target (/var/log/pods/...) escapes the root set to e.g./host/var/log, the read fails.Error
Observed Behavior
/var/log/pods/works fine (no symlinks involved)./var/log/containers/fails — these are symlinks into/var/log/pods/./var/log) does not resolve the issue:os.Rootcannot follow a symlink from one root into another.Expected Behavior
Log files in
/var/log/containers/should be readable when the directory is withinAllowedPaths, since the symlink targets ultimately resolve to files on the same node filesystem.Additional Notes
lsdoes not display symlink targets (->destination), making this hard to diagnose from inside the shell. Improvingls -lto show symlink info would help operators debug this class of issue.