Why would creating a user namespace with size 1 work but size >1 fail












0















I am experimenting with unprivileged linux containers and I am writing a Go program that creates a minimalist container. The program forks itself and creates namespaces in the process. However for some reason if I set the user namespace size to greater than 1, it fails when running as a regular user.



    cmd := exec.Command("/proc/self/exe", "run-container")
cmd.SysProcAttr = &syscall.SysProcAttr{
Cloneflags: syscall.CLONE_NEWUSER | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS,
Unshareflags: syscall.CLONE_NEWNS,
UidMappings: syscall.SysProcIDMap{
{
ContainerID: 0,
HostID: os.Getuid(),
Size: 1, // set this to 2 or more and it fails
},
},
GidMappings: syscall.SysProcIDMap{
{
ContainerID: 0,
HostID: os.Getgid(),
Size: 1,
},
},
}
// other flags: CLONE_NEWNET, CLONE_NEWIPC, CLONE_NEWCGROUP, CLONE_NEWUSER,
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr

err := cmd.Run()
if err != nil {
fmt.Println("ERROR: parent cmd.Run", err)
os.Exit(1)
}


The code above (along with all the other stuff like pivot_root etc.. ) works fine. But the moment I set Size to 2, it bombs:



ERROR: parent cmd.Run fork/exec /proc/self/exe: operation not permitted


This seems to be a capabilities issue because when I run as root it works.



Or it has something to do with something else. I can't figure it out.



Here is my /etc/subuid should it help:



lxd:1000:1
root:1000:1
lxd:100000:65536
root:100000:65536
developer:165536:65536
mounter:231072:65536


Thanks!









share







New contributor




teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    0















    I am experimenting with unprivileged linux containers and I am writing a Go program that creates a minimalist container. The program forks itself and creates namespaces in the process. However for some reason if I set the user namespace size to greater than 1, it fails when running as a regular user.



        cmd := exec.Command("/proc/self/exe", "run-container")
    cmd.SysProcAttr = &syscall.SysProcAttr{
    Cloneflags: syscall.CLONE_NEWUSER | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS,
    Unshareflags: syscall.CLONE_NEWNS,
    UidMappings: syscall.SysProcIDMap{
    {
    ContainerID: 0,
    HostID: os.Getuid(),
    Size: 1, // set this to 2 or more and it fails
    },
    },
    GidMappings: syscall.SysProcIDMap{
    {
    ContainerID: 0,
    HostID: os.Getgid(),
    Size: 1,
    },
    },
    }
    // other flags: CLONE_NEWNET, CLONE_NEWIPC, CLONE_NEWCGROUP, CLONE_NEWUSER,
    cmd.Stdin = os.Stdin
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr

    err := cmd.Run()
    if err != nil {
    fmt.Println("ERROR: parent cmd.Run", err)
    os.Exit(1)
    }


    The code above (along with all the other stuff like pivot_root etc.. ) works fine. But the moment I set Size to 2, it bombs:



    ERROR: parent cmd.Run fork/exec /proc/self/exe: operation not permitted


    This seems to be a capabilities issue because when I run as root it works.



    Or it has something to do with something else. I can't figure it out.



    Here is my /etc/subuid should it help:



    lxd:1000:1
    root:1000:1
    lxd:100000:65536
    root:100000:65536
    developer:165536:65536
    mounter:231072:65536


    Thanks!









    share







    New contributor




    teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      0












      0








      0








      I am experimenting with unprivileged linux containers and I am writing a Go program that creates a minimalist container. The program forks itself and creates namespaces in the process. However for some reason if I set the user namespace size to greater than 1, it fails when running as a regular user.



          cmd := exec.Command("/proc/self/exe", "run-container")
      cmd.SysProcAttr = &syscall.SysProcAttr{
      Cloneflags: syscall.CLONE_NEWUSER | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS,
      Unshareflags: syscall.CLONE_NEWNS,
      UidMappings: syscall.SysProcIDMap{
      {
      ContainerID: 0,
      HostID: os.Getuid(),
      Size: 1, // set this to 2 or more and it fails
      },
      },
      GidMappings: syscall.SysProcIDMap{
      {
      ContainerID: 0,
      HostID: os.Getgid(),
      Size: 1,
      },
      },
      }
      // other flags: CLONE_NEWNET, CLONE_NEWIPC, CLONE_NEWCGROUP, CLONE_NEWUSER,
      cmd.Stdin = os.Stdin
      cmd.Stdout = os.Stdout
      cmd.Stderr = os.Stderr

      err := cmd.Run()
      if err != nil {
      fmt.Println("ERROR: parent cmd.Run", err)
      os.Exit(1)
      }


      The code above (along with all the other stuff like pivot_root etc.. ) works fine. But the moment I set Size to 2, it bombs:



      ERROR: parent cmd.Run fork/exec /proc/self/exe: operation not permitted


      This seems to be a capabilities issue because when I run as root it works.



      Or it has something to do with something else. I can't figure it out.



      Here is my /etc/subuid should it help:



      lxd:1000:1
      root:1000:1
      lxd:100000:65536
      root:100000:65536
      developer:165536:65536
      mounter:231072:65536


      Thanks!









      share







      New contributor




      teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      I am experimenting with unprivileged linux containers and I am writing a Go program that creates a minimalist container. The program forks itself and creates namespaces in the process. However for some reason if I set the user namespace size to greater than 1, it fails when running as a regular user.



          cmd := exec.Command("/proc/self/exe", "run-container")
      cmd.SysProcAttr = &syscall.SysProcAttr{
      Cloneflags: syscall.CLONE_NEWUSER | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS,
      Unshareflags: syscall.CLONE_NEWNS,
      UidMappings: syscall.SysProcIDMap{
      {
      ContainerID: 0,
      HostID: os.Getuid(),
      Size: 1, // set this to 2 or more and it fails
      },
      },
      GidMappings: syscall.SysProcIDMap{
      {
      ContainerID: 0,
      HostID: os.Getgid(),
      Size: 1,
      },
      },
      }
      // other flags: CLONE_NEWNET, CLONE_NEWIPC, CLONE_NEWCGROUP, CLONE_NEWUSER,
      cmd.Stdin = os.Stdin
      cmd.Stdout = os.Stdout
      cmd.Stderr = os.Stderr

      err := cmd.Run()
      if err != nil {
      fmt.Println("ERROR: parent cmd.Run", err)
      os.Exit(1)
      }


      The code above (along with all the other stuff like pivot_root etc.. ) works fine. But the moment I set Size to 2, it bombs:



      ERROR: parent cmd.Run fork/exec /proc/self/exe: operation not permitted


      This seems to be a capabilities issue because when I run as root it works.



      Or it has something to do with something else. I can't figure it out.



      Here is my /etc/subuid should it help:



      lxd:1000:1
      root:1000:1
      lxd:100000:65536
      root:100000:65536
      developer:165536:65536
      mounter:231072:65536


      Thanks!







      linux userns





      share







      New contributor




      teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share







      New contributor




      teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share



      share






      New contributor




      teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 3 mins ago









      teleclimberteleclimber

      1




      1




      New contributor




      teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      teleclimber is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          teleclimber is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500987%2fwhy-would-creating-a-user-namespace-with-size-1-work-but-size-1-fail%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          teleclimber is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          teleclimber is a new contributor. Be nice, and check out our Code of Conduct.













          teleclimber is a new contributor. Be nice, and check out our Code of Conduct.












          teleclimber is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500987%2fwhy-would-creating-a-user-namespace-with-size-1-work-but-size-1-fail%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Loup dans la culture

          How to solve the problem of ntp “Unable to contact time server” from KDE?

          ASUS Zenbook UX433/UX333 — Configure Touchpad-embedded numpad on Linux