search

google / gvisor

Application Kernel for Containers
https://gvisor.dev
Apache License 2.0
15.86k stars 1.3k forks source link

Implement /proc/sys/user/max_user_namespaces ? #11210

Open Evolto2019 opened 18 hours ago

Evolto2019 commented 18 hours ago

Description

Bubblewrap with option "--disable-userns" enabled fails to run in gvisor due to lack of /proc/sys/user/max_user_namespaces (relevant code). The option "--disable-userns" is set as default by flatpak, so adding /proc/sys/user/max_user_namespaces will make it possible to build and run flatpak in container with gvisor.

Is this feature related to a specific bug?

No response

Do you have a specific solution in mind?

No response

EtiennePerot commented 10 hours ago

Have you confirmed that this is the only thing that prevents flatpak from working? You can check by doing something like echo 1234 > /tmp/max_user_namespaces.txt && docker run --rm -it -v /tmp/max_user_namespaces.txt:/proc/sys/user/max_user_namespaces:rw --runtime=runsc ubuntu bash.

Evolto2019 commented 7 hours ago

Have you confirmed that this is the only thing that prevents flatpak from working? You can check by doing something like echo 1234 > /tmp/max_user_namespaces.txt && docker run --rm -it -v /tmp/max_user_namespaces.txt:/proc/sys/user/max_user_namespaces:rw --runtime=runsc ubuntu bash.

Well confirmed. Bubblewrap will complain "creation of new user namespaces was not disabled as requested" in this case. This is because it checks whether it's possible to create new user namespace after setting "1" for /proc/sys/user/max_user_namespaces. Mounting a fake max_user_namespaces file will work only if bubblewrap performs the check by simply reading the corresponding sysctl value, which is not the case here.