`unshare(): Invalid argument` on Arch Linux

lucabrunox / nix-user-chroot

Run nix in a lightweight chroot container

80 stars 17 forks source link

`unshare(): Invalid argument` on Arch Linux #9

Open atondwal opened 7 years ago

atondwal commented 7 years ago

$ nix-user-chroot ~/.nix bash
unshare(): Invalid argument

This can also be reproduced with docker:

docker run atondwal/nix-user-chroot

(The docker image was created with:

FROM base/archlinux
RUN pacman -Sy git make gcc --noconfirm &&\
  pacman -Scc --noconfirm &&\
  rm -rf /var/cache/pacman/pkg/*
RUN git clone https://github.com/lethalman/nix-user-chroot.git &&\
  cd nix-user-chroot &&\
  make &&\
  mkdir -m 0755 ~/.nix
CMD ./nix-user-chroot/nix-user-chroot ~/.nix bash

)

lucabrunox commented 7 years ago

I guess you need to give docker somehow more privileged permissions... or perhaps it might not work at all inside another container.

atondwal commented 7 years ago

The problem isn't docker; I get the same problem on bare metal . I just dockerized it to make it easy to reproduce.

On Oct 3, 2017 05:59, "Luca Bruno" notifications@github.com wrote:

I guess you need to give docker somehow more privileged permissions... or perhaps it might not work at all inside another container.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lethalman/nix-user-chroot/issues/9#issuecomment-333833723, or mute the thread https://github.com/notifications/unsubscribe-auth/AAU8COOXR1HGsZodx1qZLumWi9rrq3T1ks5soi-6gaJpZM4Pp-ZX .

kalebo commented 6 years ago

@atondwal, is it possible that this issue is caused by not having a kernel with support for userspaces as described in the README.md? You can use uname -a to show the kernel version, it should be >=3.8.0.

Rovanion commented 6 years ago

I'm getting the same issue on a 64-bit CentOS 7 box with kernel 3.10.0-693.

ysndr commented 6 years ago

Had the same issue on arch.., It's because the arch-kernel has user namespaces disabled for security reasons (?) you might need to use a custom kernel which has said module enabled

dniku commented 5 years ago

I am seeing the same issue on RHEL 7.4. Output of commands from Nix wiki:

$ unshare --user --pid echo YES
unshare: unshare failed: Invalid argument
$ unshare --user echo YES
unshare: unshare failed: Invalid argument
$ unshare --pid echo YES
unshare: unshare failed: Operation not permitted
$ unshare echo YES
YES
$ grep CONFIG_USER_NS /boot/config-$(uname -r)
CONFIG_USER_NS=y

Mic92 commented 5 years ago

You cannot use usernamespaces as unprivileged user on either Archlinux, Centos, Redhat or Fedora. They don't allow it in their kernel. You will need to recompile the kernels on those machines. This issue can be closed.

bhipple commented 5 years ago

This actually does work in RedHat / CentOS 7.4, but there are two steps:

Enable the grub kernel boot parameter user_namespace.enabled=1
Increase the maximum number of namespaces allowed from the default of 0: # echo 15000 > /proc/sys/user/max_user_namespaces

If you do both of these things, then it'll work:

$ uname -sr
Linux 3.10.0-693.1.1.el7.x86_64

$ unshare --user --pid echo YES
YES
$ unshare --user echo YES
YES
$ unshare echo YES
YES