setns(CLONE_NEWNET): Operation not permitted

[t0rr3sp3dr0]

When an unprivileged user executes rootlesskit with slirp4netns, network setup fails:

$ rootlesskit '--net=slirp4netns' '--mtu=65520' --disable-host-loopback '--port-driver=builtin' '--copy-up=/etc' '--copy-up=/run' -p 0.0.0.0:2375:2375/tcp dockerd '--host=unix:///run/user/1000/docker.sock' '--host=tcp://0.0.0.0:2375'
…
[rootlesskit:parent] error: failed to setup network &{logWriter:0xc00008df30 binary:slirp4netns mtu:65520 ipnet:<nil> disableHostLoopback:true apiSocketPath: enableSandbox:false enableSeccomp:false}: waiting for ready fd (/usr/local/bin/slirp4netns --mtu 65520 -r 3 --disable-host-loopback 130 tap0): slirp4netns failed
[rootlesskit:child ] error: parsing message from fd 3: EOF

Executing slirp4netns with the arguments used by rootlesskit, we can see the following error:

$ slirp4netns --mtu 65520 -r 3 --disable-host-loopback 130 tap0
setns(CLONE_NEWNET): Operation not permitted
child failed(1)

The same command works just fine when executed by root.

[t0rr3sp3dr0]

It's important to notice that I'm running the commands inside a docker:19.03-dind-rootless container on a privileged kubernetes pod.

[AkihiroSuda]

Please try this sysctl https://github.com/rootless-containers/rootlesskit#distribution-specific-hints

[AkihiroSuda]

Also please provide version information of your distro and kernel

[t0rr3sp3dr0]

@AkihiroSuda I had no success in making this work even by following the hints provided.

Host OS: Ubuntu 18.04.5 LTS Kernel: 5.4.0-1025-aws Docker: 17.3.2 slirp4netns: 1.1.4 /proc/sys/kernel/unprivileged_userns_clone: 1 /proc/sys/user/max_user_namespaces: 62439

[t0rr3sp3dr0]

I'm able to reproduce that with Docker Desktop for Mac by running:

docker run --privileged --rm -it alpine

adduser -D user
su user

cd
wget https://github.com/rootless-containers/slirp4netns/releases/download/v1.1.4/slirp4netns-x86_64
chmod +x ./slirp4netns-x86_64
./slirp4netns-x86_64 --mtu 65520 -r 3 --disable-host-loopback $$ tap0

[AkihiroSuda]

You need to unshare namespaces, please see manpage

[t0rr3sp3dr0]

It worked, thanks! 😁