search

containers / bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects
Other
3.97k stars 237 forks source link

`bwrap: unshare user ns: No space left on device` #465

Open TheEvilSkeleton opened 2 years ago

TheEvilSkeleton commented 2 years ago

Hi,

I recently wrote a bwrap script for Firefox in bash. However, whenever I try to launch it like a normal script or binary, I get the following error:

bwrap: unshare user ns: No space left on device

This issue is only reproducible on my laptop apparently. The script ran without a problem on my desktop. Both systems use Fedora Silverblue 35.

I don't know if it's a hardware issue, so I am sharing my laptop's and desktop's specs:

(Just to be clear, these are old hardware probes, but the specs are the same.)

I wasn't able to retrieve any logs because I couldn't find a --verbose flag.

I came across https://github.com/containers/bubblewrap/issues/371. I checked max_user_namespaces and I have the following:

[root@TheMainLaptop ~]# cat /proc/sys/user/max_user_namespaces 
28906

Also, I didn't run the script as root.

smcv commented 2 years ago

I don't know if it's a hardware issue

I doubt it. Everything involving unshare() should be purely software, except that some limits will scale with the amount of RAM you have.

smcv commented 2 years ago

This is ENOSPC, documented in unshare(2) as:

       ENOSPC (since Linux 3.7)
              CLONE_NEWPID  was  specified  in  flags,  but the limit on the
              nesting depth of PID namespaces would have been exceeded;  see
              pid_namespaces(7).

       ENOSPC (since Linux 4.9; beforehand EUSERS)
              CLONE_NEWUSER was specified in flags, and the call would cause
              the limit on the number of nested user namespaces  to  be  ex‐
              ceeded.  See user_namespaces(7).

              From Linux 3.11 to Linux 4.8, the error diagnosed in this case
              was EUSERS.

       ENOSPC (since Linux 4.9)
              One of the values in flags specified the  creation  of  a  new
              user  namespace,  but doing so would have caused the limit de‐
              fined by the corresponding file in /proc/sys/user  to  be  ex‐
              ceeded.  For further details, see namespaces(7).
TheEvilSkeleton commented 2 years ago

I see. Is there a solution to this? I took a look at pid_namespaces(7) and user_namespaces(7) but the description was too technical for me.