[CRIU] Can't launch unshare with -U or -r as unprivileged user

Serge Hallyn serge.hallyn at ubuntu.com
Thu Sep 11 09:18:20 PDT 2014


Quoting Andrew Vagin (avagin at parallels.com):
> On Wed, Sep 10, 2014 at 04:05:46PM -0700, Allan Cecil wrote:
> > Bottom posting for historical context, see text below:
> > 
> > On 06/04/2014 11:08 AM, Allan Cecil wrote:
> > > On 06/04/2014 10:26 AM, Christopher Covington wrote:
> > >> On 06/04/2014 01:16 PM, Christopher Covington wrote:
> > > ~snip~
> > >>> So after my digression it comes back to the question of how to get `unshare
> > >>> -r` to work. I noticed that in a kernel where CONFIG_USER_NS is not set, I was
> > >>> getting the "Invalid argument" error there when trying stuff like `unshare -r
> > >>> -- echo hello` or the example given in the patch introducing the -r option [1].
> > >>>
> > >>> 1. http://thread.gmane.org/gmane.linux.utilities.util-linux-ng/8317
> > >>>
> > >>> Is there a /boot/config or /proc/config.gz that you can use to confirm
> > >>> CONFIG_USER_NS=y?
> > >>>
> > >>> Being entirely new to the subject, I found the following thread interesting
> > >>> background information.
> > >>>
> > >>> https://lists.linux-foundation.org/pipermail/containers/2013-June/032727.html
> > >>
> > >> Digging further, it looks like CONFIG_USER_NS was dropped in Ubuntu 12.10
> > >> Quantal and reinstated in 14.04 Trusty. Maybe that upgrade to Mint 17 is a
> > >> prerequisite?
> > >>
> > >> https://bugs.launchpad.net/bugs/1191600
> > >> https://wiki.ubuntu.com/Kernel/Configs/PreciseToQuantal
> > >> https://wiki.ubuntu.com/Kernel/Configs/SaucyToTrusty
> > >>
> > >> Christopher 
> > > 
> > > Hmm...  I did a cat /boot/config-3.11.0-19-generic | grep CONFIG_USER_NS and that flag was not found.  Assuming I have the right file I think I need to upgrade.  I just checked and this system is actually based on the Linux Mint Cinnamon edition (albeit with xfce installed), so I should be able to upgrade right away.  I will work on that this tonight or later this week and get back to you with the results of trying with a new kernel.  Thank you very much for your assistance,
> > > 
> > > A.C.
> > > ******
> > 
> > So it's now been several months but I'm no closer to a solution.  I'm now on:
> > 
> > $ uname -a
> > Linux silvermine 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> > $ lsb_release -a
> > No LSB modules are available.
> > Distributor ID: LinuxMint
> > Description:    Linux Mint 17 Qiana
> > Release:        17
> > Codename:       qiana
> > 
> > And cat /boot/config-3.13.0-24-generic | grep CONFIG_USER_NS responds with:
> > CONFIG_USER_NS=y
> > 
> > Unfortunately, with:
> > 
> > $ unshare --version
> > unshare from util-linux 2.24.920-710e
> > 
> > If I try the same test as above, I still see the same failure:
> > 
> > $ sudo unshare -fp -- echo hello                                        
> > hello
> > $ unshare -fp -- echo hello                                             
> 
> [avagin at localhost ~]$ unshare -Ufp echo hello
> hello

Right, to be more verbose, you must first unshare your user namespace.  You
cannot unshare your pid namespace without first having privilege over your
user namespace.

-serge


More information about the CRIU mailing list