search

distr1 / distri

a Linux distribution to research fast package management
https://distr1.org
Other
536 stars 26 forks source link

unshare fails when building distri packages in a distri docker container on CentOS7 #39

Closed pseyfert closed 4 years ago

pseyfert commented 5 years ago

I failed to run distri build in a distri docker container (privileged docker, running on a CentOS7 machine).

The build fails with the message

unshare: unshare failed: Invalid argument

try sysctl -w kernel.unprivileged_userns_clone=1? (wild guess)

...

build: build: [unshare --user --map-root-user --mount -- /ro/distri1-amd64-native-16/out/bin/distri build -job=/tmp/distri039718657]: exit status 1

The sysctl command does not work in the docker container (sysctl: command not found) and doesn't work on the host either (sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory). NB: the suggestion doesn't indicate if this should happen on the host or in the container.

Unsure how to address the sysctl error message, a web search led me to this to run

echo 640 > /proc/sys/user/max_user_namespaces

as root on the host system. After that, distri build runs successfully for the packages I tried. So this might be another hint to give.

stapelberg commented 4 years ago

I set up a CentOS VM recently for another issue, so I finally made some time to look into this.

The minimum steps to reproduce are: unshare --user --map-root-user --mount -- whoami

Indeed, it looks like the control surface for whether user namespaces are permitted is different between distributions:

  1. In 2013, Canonical contributed https://sources.debian.org/src/linux/5.4.19-1/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch/ to Debian (and hence its derivatives).
  2. Arch uses the same patch.
  3. In 2016, Linux 4.9 gained the max_user_namespaces sysctl: https://github.com/torvalds/linux/commit/b376c3e1b6770ddcb4f0782be16358095fcea0b6
  4. It’s not entirely clear to me where it happens, but CentOS (and RHEL) ship with max_user_namespaces=0, whereas on my Debian and Arch machines the number is > 0 (though not the same, probably a ratio of some other resource).

I think we should:

  1. Make distri build check the presence/value of kernel.unprivileged_userns_clone and user.max_user_namespaces, then adjust its error message accordingly.
  2. When running in a (Docker) container, clarify in the error message that settings need to be changed in the host, not in the container.