BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Done

Details

9 participants

Bengt Richter
Jesse Dowell
Pierre Neidhardt
Tobias Geerinckx-Rice
Paul Garlick
raingloom
Vagrant Cascadian
yasu
zimoun

Owner: unassigned

Submitted by: yasu

Severity: normal

Merged with

45066

yasu wrote on 6 Dec 2020 13:41

Recipients:(name . Guix Devel)(address . guix-devel@gnu.org)

Message-ID:bde9689feb5e69e4e3dcb027be33fe1ca30a7227.camel@yasuaki.com

Hi,

I really don't know much about Linux but it looks like the problem I

reported has something to do with Debian?

https://unix.stackexchange.com/questions/303213/how-to-enable-user-namespaces-in-the-kernel-for-unprivileged-unshare

Now, I don't use Debian at all (I use Guix System) and do you think

this is a Bug in Guix (in that this Debian specific word should never

even be mentioned in Guix?)

To summarize this bug again:

The Bug:

The container command no longer works, after the commit

8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e.

guix environment -C

Additional Information:

Instead of working as it did until the commit, the command now

dies with the following error mesage:

guix environment: error: cannot create container:

unprivileged user cannot create user namespaces

guix environment: error: please set

/proc/sys/kernel/unprivileged_userns_clone to "1"

The message "please set

/proc/sys/kernel/unprivileged_userns_clone to "1",

seems irrelevant to Guix System users as it may only relate to

Debian users.

I don't know why this Debian specific message is here in the

first place...

Disclaimer :-):

I am assuming this is indeed Debian specific (I tried to

install LinuxLinux (the Guix default) but failed - my AMD graphics card

won't allow me to even boot, unless I use regular Linux. )

I scanned for the phrase in LinuxLibre source code but there

was no mention of it:

~/Downloads$ tar -xf linux-libre-5.9.12-gnu.tar.xz

~/Downloads$ cd linux-5.9.12/

~/Downloads/linux-5.9.12$ rg -i unprivileged_userns_clone

Just FYI: the problem phrase is indeed found in the Debian

Kernel Patch:

~/co/debian$ rg -i unprivileged_userns_clone

linux/debian/patches/debian/add-sysctl-to-disallow-

unprivileged-CLONE_NEWUSER-by-default.patch

25:+extern int unprivileged_userns_clone;

27:+#define unprivileged_userns_clone 0

36:+ if ((clone_flags & CLONE_NEWUSER) &&

!unprivileged_userns_clone)

47:+ if ((unshare_flags & CLONE_NEWUSER) &&

!unprivileged_userns_clone) {

65:+extern int unprivileged_userns_clone;

77:+ .procname = "unprivileged_userns_clone",

78:+ .data = &unprivileged_userns_clone,

96:+int unprivileged_userns_clone;

Cheers,

Yasu

commit 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33eAuthor: Paul Garlick <

pgarlick@tourbillion-technology.com>Date: Thu Dec 3 16:00:18 2020

+0000

linux-container: Correct test for unprivileged user namespace

support.

Fixes https://bugs.gnu.org/31977;. Reported by Paul Garlick

<pgarlick@tourbillion-technology.com>.

* gnu/build/linux-container.scm (unprivileged-user-namespace-

supported?): Return #f when the 'userns-file' does not exist.

Toggle diff (51 lines)diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-
container.scmindex 4a8bed5a9a..3870b50907 100644--- a/gnu/build/linux-
container.scm+++ b/gnu/build/linux-container.scm@@ -44,7 +44,7
@@   (let ((userns-file
"/proc/sys/kernel/unprivileged_userns_clone"))     (if (file-exists?
userns-file)         (eqv? #\1 (call-with-input-file userns-file read-
char))-        #t)))+        #f)))

On Sat, 2020-12-05 at 09:20 +0900, yasu wrote:
> Hi Pj,
> Thank you for you reply (and your wonderful Hacking Guide 
> https://gitlab.com/pjotrp/guix-notes/blob/master/HACKING.org)!
> I tried the command and it didn't work...
> I use Guix System (not  a foreign distribution) as described at the
> bottom 
> -Yasu
> 
> On Fri, 2020-12-04 at 19:55 +0100, Pjotr Prins wrote:
> > On Fri, Dec 04, 2020 at 05:32:08PM +0100, zimoun wrote:
> > > Have you tried to do the recommandation?
> > > 
> > >      please set /proc/sys/kernel/unprivileged_userns_clone to "1"
> > 
> > As root:
> > 
> > echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> > 
> > Yes, it is common on Debian and such.
> > 
> > Pj.
> 
> root@guix ~# echo 1 > /proc/sys/kernel/unprivileged_userns_clone-
> bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or
> directory
> root@guix ~# guix system describeGeneration 5631	Dec 05 2020
> 09:09:16	(current)  file name: /var/guix/profiles/system-5631-
> link  canonical file name:
> /gnu/store/qqzk4kvrhxjcia3hcq3xqrcdi36azzz9-system  label: GNU with
> Linux 5.9.12  bootloader: grub-efi  root device: label: "my-root" 
> kernel: /gnu/store/9a93vpq4aa1c3adiaaa3blwc18r9r7zz-linux-
> 5.9.12/bzImage  channels:    guix:      repository URL: 
> https://git.savannah.gnu.org/git/guix.git      branch:
> master      commit:
> 86d635b85035086d21c319f31f628761df5c82e5    nonguix:      repository
> URL: https://gitlab.com/nonguix/nonguix      branch:
> master      commit: b08ea529d4d36468b20ef4aff6dc87b3de0eff70    guix-
> chromium:      repository URL: 
> https://gitlab.com/mbakke/guix-chromium.git      branch:
> master      commit: 2de450b92e5f2624d4f964407686934e22239f7b 
> configuration file: /gnu/store/hlma107m2004g6qq00ihm190am5mh9z0-
> configuration.scm

Attachment: file

Attachment: face-smile.png

Tobias Geerinckx-Rice wrote on 6 Dec 2020 16:49

(no subject)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87mtyrvsrn.fsf@nckx

merge 45066 45069

Tobias Geerinckx-Rice wrote on 6 Dec 2020 17:16

Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Recipients:(name . yasu)(address . yasu@yasuaki.com)

Message-ID:87k0tux63a.fsf@nckx

yasu ???

Toggle quote (6 lines)

> Now, I don't use Debian at all (I use Guix System) and do you

> think

> this is a Bug in Guix (in that this Debian specific word should

> never

> even be mentioned in Guix?)

It's not Debian-specific. It is a bug in Guix.

It should try to create a namespace and properly report an error

iff that fails, not prematurely abort after farting about in

/proc.

A separate unprivileged-user-namespace-supported? is broken by

design. Reverting commit 8bc5ca5 works around this but it wasn't

to blame.

Kind regards,

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX80D6g0cbWVAdG9iaWFz

LmdyAAoJEA2w/4hPVW15q5YBAKomCPQ0W3w+vvKllxbqpjx2LB8e+5L2XdEkqp4D

iNstAQDpXVhnbDk6IFOh1ra13WzHsKiwtQTnAB3dsbbFNSkYDQ==

=m1tb

-----END PGP SIGNATURE-----

zimoun wrote on 6 Dec 2020 17:56

Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Recipients:(name . Guix Devel)(address . guix-devel@gnu.org)

Message-ID:86eek2an53.fsf@gmail.com

Hi,

Please try the recommendation. Have you tried it?

please set /proc/sys/kernel/unprivileged_userns_clone to "1"

As root, you just do:

echo 1 > /proc/sys/kernel/unprivileged_userns_clone

then “guix environment -C” should work as expected. To do the trick

automatically with Sheperd, I do not know, but I am sure that the

systemd equivalent

echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf

sysctl --system

seems doable with Guix System.

On my system, and I need explanations if it does not work similarly on

yours, I simply do:

Toggle snippet (13 lines)

$ guix environment -C --ad-hoc hello -- hello

guix environment: error: cannot create container: unprivileged user cannot create user namespaces

guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"

$ su -

Password:

# echo 1 > /proc/sys/kernel/unprivileged_userns_clone

# logout

$ guix environment -C --ad-hoc hello -- hello

Hello, world!

Hope that helps,

simon

yasu wrote on 6 Dec 2020 21:51

Recipients:(name . Guix Devel)(address . guix-devel@gnu.org)

Message-ID:382923d762cf018ae9d75b3408db75abf296e543.camel@yasuaki.com

Hi Zimoun,

I tried as you suggested but it didn't work...

root@guix ~# echo "kernel.unprivileged_userns_clone = 1" >

/etc/sysctl.d/local.conf

-bash: /etc/sysctl.d/local.conf: No such file or directory

root@guix ~# sysctl --system

root@guix ~# logout

~$ guix environment -C

guix environment: error: cannot create container: unprivileged user

cannot create user namespaces

guix environment: error: please set

/proc/sys/kernel/unprivileged_userns_clone to "1"

Now, if this posting were to be belived, I think this term

kernel.unprivileged_userns_clone

is specific to Debian Linux, and does not exist outside of that circle.

It disables a bit of "hardening" that Debian patches into their

distribution kernel. If you're not running such a kernel, it will

fail

and not do anything, as such a setting doesn't even exist in the

mainline Linux kernel.

I wonder how this term came in to Guix in the first place?

-Yasu

On Sun, 2020-12-06 at 17:56 +0100, zimoun wrote:

> Hi,

Toggle quote (42 lines)> 
> Please try the recommendation. Have you tried it?
> 
>   please set /proc/sys/kernel/unprivileged_userns_clone to "1"
> 
> As root, you just do:
> 
>   echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> 
> then “guix environment -C” should work as expected.  To do the trick
> automatically with Sheperd, I do not know, but I am sure that the
> systemd equivalent 
> 
>   echo "kernel.unprivileged_userns_clone = 1" >
> /etc/sysctl.d/local.conf
>   sysctl --system
> 
> seems doable with Guix System.
> 
> 
> On my system, and I need explanations if it does not work similarly
> on
> yours, I simply do:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix environment -C --ad-hoc hello -- hello 
> guix environment: error: cannot create container: unprivileged user
> cannot create user namespaces
> guix environment: error: please set
> /proc/sys/kernel/unprivileged_userns_clone to "1"
> 
> $ su -
> Password:
> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone 
> # logout
> 
> $ guix environment -C --ad-hoc hello -- hello 
> Hello, world!
> --8<---------------cut here---------------end--------------->8---
> 
> Hope that helps,
> simon

Jesse Dowell wrote on 6 Dec 2020 21:54

Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Recipients:(name . zimoun)(address . zimon.toutoune@gmail.com)

Message-ID:CADdvwM-h6q9BvO5ZWxgUbHfdzDRc-Sj899ZPgrwqV5o1XUVnDg@mail.gmail.com

Hi All,

I believe the recommended suggestion is Debian specific is it not?

My kernel supports user namespaces and doesn't expose that file at that

location.

The only way I can work around the issue is to downgrade guix to the commit

on the master branch right before 8bc5ca5160db3d82bd5b6b2b7ed80c96f42bd33e

guix pull --commit=0d5d1bdf911659f60601058e8e1678187b7ba664

--allow-downgrades

Best,

Jesse

On Sun, Dec 6, 2020 at 12:03 PM zimoun <zimon.toutoune@gmail.com> wrote:

Toggle quote (45 lines)> Hi,
>
> Please try the recommendation. Have you tried it?
>
>   please set /proc/sys/kernel/unprivileged_userns_clone to "1"
>
> As root, you just do:
>
>   echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>
> then “guix environment -C” should work as expected.  To do the trick
> automatically with Sheperd, I do not know, but I am sure that the
> systemd equivalent
>
>   echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf
>   sysctl --system
>
> seems doable with Guix System.
>
>
> On my system, and I need explanations if it does not work similarly on
> yours, I simply do:
>
> --8<---------------cut here---------------start------------->8---
> $ guix environment -C --ad-hoc hello -- hello
> guix environment: error: cannot create container: unprivileged user cannot
> create user namespaces
> guix environment: error: please set
> /proc/sys/kernel/unprivileged_userns_clone to "1"
>
> $ su -
> Password:
> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> # logout
>
> $ guix environment -C --ad-hoc hello -- hello
> Hello, world!
> --8<---------------cut here---------------end--------------->8---
>
> Hope that helps,
> simon
>
>
>
>

Attachment: file

Yasuaki Kudo wrote on 6 Dec 2020 23:51

Re: bug#45069: closed (Re: bug#45066: guix environment --container is borken)

Recipients:(address . 45069@debbugs.gnu.org)

Message-ID:F121675B-D2E7-4E98-A29C-64B92D38E520@yasuaki.com

I confirm this is fixed. Thank GNU and Guix!! ??

Toggle quote (17 lines)> On Dec 7, 2020, at 06:03, help-debbugs@gnu.org wrote:
> 
> ?Your bug report
> 
> #45066: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces
> 
> which was filed against the guix package, has been closed.
> 
> The explanation is attached below, along with your original report.
> If you require more details, please reply to 45069@debbugs.gnu.org.
> 
> -- 
> 45066: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=45066
> GNU Bug Tracking System
> Contact help-debbugs@gnu.org with problems
> <mime-attachment>
> <mime-attachment>

Pierre Neidhardt wrote on 7 Dec 2020 12:57

Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Recipients:

Message-ID:87wnxtx1yx.fsf@ambrevar.xyz

Hi!

I can reproduce the issue since I 'recondigure'd my Guix System.

I'm on cebfb29abb151ede95696181d2446c63504593d7.

Guix' bug?

Pierre Neidhardt

https://ambrevar.xyz/

Paul Garlick wrote on 7 Dec 2020 13:29

Recipients:

Message-ID:1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com

Hi Pierre,

Can you try, as root on Guix System:

$ echo 1 > /proc/sys/kernel/unprivileged_userns_clone

If you could report success or failure that would be helpful; the

unprivileged-user-namespace-supported? test in gnu/build/linux-

container.scm should be the same irrespective of the underlying

distribution (Debian, CentOS, Guix System ...).

Best regards,

Paul.

On Mon, 2020-12-07 at 12:57 +0100, Pierre Neidhardt wrote:

Toggle quote (8 lines)> Hi!
> 
> I can reproduce the issue since I 'recondigure'd my Guix System.
> I'm on cebfb29abb151ede95696181d2446c63504593d7.
> 
> Guix' bug?
> 
>

Yasuaki Kudo wrote on 7 Dec 2020 13:41

Recipients:(name . Paul Garlick)(address . pgarlick@tourbillion-technology.com)

Message-ID:C8D7A386-109B-455A-BAD9-ACBA8055E3AA@yasuaki.com

Just FYI (sorry to interject) , my original email was stripped of html elements? anyway, I was referring to this link https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do#comment442083_209533 -Yasu

Toggle quote (28 lines)> On Dec 7, 2020, at 21:31, Paul Garlick <pgarlick@tourbillion-technology.com> wrote:
> 
> ?Hi Pierre,
> 
> Can you try, as root on Guix System:
> 
> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> 
> If you could report success or failure that would be helpful; the
> unprivileged-user-namespace-supported? test in gnu/build/linux-
> container.scm should be the same irrespective of the underlying
> distribution (Debian, CentOS, Guix System ...).
> 
> Best regards,
> 
> Paul.
> 
>> On Mon, 2020-12-07 at 12:57 +0100, Pierre Neidhardt wrote:
>> Hi!
>> 
>> I can reproduce the issue since I 'recondigure'd my Guix System.
>> I'm on cebfb29abb151ede95696181d2446c63504593d7.
>> 
>> Guix' bug?
>> 
>> 
> 
>

Attachment: file

zimoun wrote on 7 Dec 2020 14:26

Recipients:

Message-ID:86o8j57nnm.fsf@gmail.com

Hi Pierre,

On Mon, 07 Dec 2020 at 12:57, Pierre Neidhardt <mail@ambrevar.xyz> wrote:

Toggle quote (2 lines)

> Guix' bug?

You get something as:

$ guix environment -C guix

guix environment: error: cannot create container: unprivileged user cannot create user namespaces

guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"

right? Have you tried to do the recommendation?

please set /proc/sys/kernel/unprivileged_userns_clone to "1"

in other words, as root:

# echo 1 > /proc/sys/kernel/unprivileged_userns_clone

$ guix environment -C --ad-hoc hello -- hello

and report.

Thanks,

simon

Pierre Neidhardt wrote on 7 Dec 2020 18:13

Recipients:

Message-ID:87tusxwncj.fsf@ambrevar.xyz

Hi Paul,

Toggle quote (4 lines)

> Can you try, as root on Guix System:

> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone

# echo 1 > /proc/sys/kernel/unprivileged_userns_clone
-bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

-- 
Pierre Neidhardt
https://ambrevar.xyz/

zimoun wrote on 7 Dec 2020 18:35

bug#45069: Guix System: unprivileged user cannot create user namespaces?

Recipients:

Message-ID:86ft4h5xjz.fsf@gmail.com

Hi,

On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt <mail@ambrevar.xyz> wrote:

Toggle quote (7 lines)

>> Can you try, as root on Guix System:

>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone

> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone

> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

In gnu/build/linux-container.scm, it reads:

Toggle snippet (8 lines)

(define (unprivileged-user-namespace-supported?)

"Return #t if user namespaces can be created by unprivileged users."

(let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))

(if (file-exists? userns-file)

(eqv? #\1 (call-with-input-file userns-file read-char))

#t)))

Does it mean that the Linux kernel on Guix System does not support

namespaces by unprivileged users?

Turning #t to #f should work on Guix System and it appears to me a

severe bug if not. What do I miss? Please could someone fill my gap? :-)

All the best,

simon

Vagrant Cascadian wrote on 7 Dec 2020 18:55

Recipients:

Message-ID:87eek1sdpo.fsf@yucca

On 2020-12-07, zimoun wrote:

Toggle quote (26 lines)> On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt <mail@ambrevar.xyz> wrote:
>
>>> Can you try, as root on Guix System:
>>>
>>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>>
>> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
>
> In gnu/build/linux-container.scm, it reads:
>
> --8<---------------cut here---------------start------------->8---
> (define (unprivileged-user-namespace-supported?)
>   "Return #t if user namespaces can be created by unprivileged users."
>   (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
>     (if (file-exists? userns-file)
>         (eqv? #\1 (call-with-input-file userns-file read-char))
>         #t)))
> --8<---------------cut here---------------end--------------->8---
>
> Does it mean that the Linux kernel on Guix System does not support
> namespaces by unprivileged users?

> Turning #t to #f should work on Guix System and it appears to me a
> severe bug if not.  What do I miss?  Please could someone fill my gap? :-)

The /proc/sys/kernel_unprivileged_userns_clone file is specific to

Debian and Ubuntu packaged linux kernel; it is a patchset not applied

upstream, as far as I am aware. I'm not sure if other distros support

disabling and enabling this feature using this mechanism.

https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

live well,

vagrant

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX85skwAKCRDcUY/If5cW

qjKwAQCi56PPZBXpy8NH6ZJYqb7K6RxUH/SyLScMEStmiFeu5gD/ajGLuZN4JWc2

dbw9E2xb+tdc3MyBXewv9HrJTA8P5A8=

=jFFd

-----END PGP SIGNATURE-----

Paul Garlick wrote on 7 Dec 2020 20:50

Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Recipients:

Message-ID:44232f7aafdfd524857ae4abd76440e329fc5c98.camel@tourbillion-technology.com

Hi Pierre,

Toggle quote (4 lines)

> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone

> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or

> directory

Thanks, that gives us a clue. So all or part of the path

'/proc/sys/kernel' is missing?

Best regards,

Paul.

zimoun wrote on 7 Dec 2020 21:03

Re: bug#45069: Guix System: unprivileged user cannot create user namespaces?

Recipients:

Message-ID:86360h5qoh.fsf@gmail.com

Hi Vagrant,

Sorry if I am naive, I am trying to understand and it appears that

pieces are missing in my bag. :-)

On Mon, 07 Dec 2020 at 09:55, Vagrant Cascadian <vagrant@debian.org> wrote:

Toggle quote (5 lines)

> The /proc/sys/kernel_unprivileged_userns_clone file is specific to

> Debian and Ubuntu packaged linux kernel; it is a patchset not applied

> upstream, as far as I am aware. I'm not sure if other distros support

> disabling and enabling this feature using this mechanism.

Thanks. I still do not understand the message from Guix System:

Toggle snippet (5 lines)

~/co/guix (master)$ guix environment -C guix

guix environment: error: cannot create container: unprivileged user cannot create user namespaces

guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"

(see

https://yhetil.org/guix/e5c86d238ca5174b745b8ea6cb0cb6ad6b20aa5e.camel@yasuaki.com)

Why does this appear if «set /proc/sys/kernel/unprivileged_userns_clone to "1"»

does not make sense on Guix System?

Then Tobias answered: (see https://yhetil.org/guix/87k0tux63a.fsf@nckx)

yasu ???

> Now, I don't use Debian at all (I use Guix System) and do you

> think

> this is a Bug in Guix (in that this Debian specific word should

> never

> even be mentioned in Guix?)

It's not Debian-specific. It is a bug in Guix.

It should try to create a namespace and properly report an error

iff that fails, not prematurely abort after farting about in

/proc.

A separate unprivileged-user-namespace-supported? is broken by

design. Reverting commit 8bc5ca5 works around this but it wasn't

to blame.

so I miss why does a similar patch as,

Toggle quote (2 lines)

> https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

is not applied to Guix System? Is it because a technical or else reason

behind? Or is it simply because no one takes the time to fix the

problem?

All the best,

simon

Pierre Neidhardt wrote on 7 Dec 2020 21:35

Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Recipients:

Message-ID:87im9dwe07.fsf@ambrevar.xyz

Hi again,

Paul Garlick <pgarlick@tourbillion-technology.com> writes:

Toggle quote (3 lines)

> Thanks, that gives us a clue. So all or part of the path

> '/proc/sys/kernel' is missing?

Nope, my /proc/sys/kernel has 121 direct files and directories :/

Pierre Neidhardt

https://ambrevar.xyz/

zimoun wrote on 7 Dec 2020 22:09

Recipients:

Message-ID:86zh2p4921.fsf@gmail.com

Hi,

On Mon, 07 Dec 2020 at 21:35, Pierre Neidhardt <mail@ambrevar.xyz> wrote:

Toggle quote (5 lines)

>> Thanks, that gives us a clue. So all or part of the path

>> '/proc/sys/kernel' is missing?

> Nope, my /proc/sys/kernel has 121 direct files and directories :/

Well, it is expected. And now all is clear. Explanations starting

there:

http://logs.guix.gnu.org/guix/2020-12-07.log#211011

Quickly said, the initial code was assuming Debian-like kernel patches

as Vagrant reported and this is not in the linux-libre source code with

a wrong Guix error message.

One bug is still there. :-)

All the best,

simon

Bengt Richter wrote on 8 Dec 2020 04:20

Re: bug#45069: Guix System: unprivileged user cannot create user namespaces?

Recipients:(name . Vagrant Cascadian)(address . vagrant@debian.org)

Message-ID:20201208032005.GA14866@LionPure

Hi Vagrant,

On +2020-12-07 09:55:31 -0800, Vagrant Cascadian wrote:

Toggle quote (35 lines)> On 2020-12-07, zimoun wrote:
> > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt <mail@ambrevar.xyz> wrote:
> >
> >>> Can you try, as root on Guix System:
> >>>
> >>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >>
> >> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
> >
> > In gnu/build/linux-container.scm, it reads:
> >
> > --8<---------------cut here---------------start------------->8---
> > (define (unprivileged-user-namespace-supported?)
> >   "Return #t if user namespaces can be created by unprivileged users."
> >   (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
> >     (if (file-exists? userns-file)
> >         (eqv? #\1 (call-with-input-file userns-file read-char))
> >         #t)))
> > --8<---------------cut here---------------end--------------->8---
> >
> > Does it mean that the Linux kernel on Guix System does not support
> > namespaces by unprivileged users?
> 
> > Turning #t to #f should work on Guix System and it appears to me a
> > severe bug if not.  What do I miss?  Please could someone fill my gap? :-)
> 
> The /proc/sys/kernel_unprivileged_userns_clone file is specific to
> Debian and Ubuntu packaged linux kernel; it is a patchset not applied
> upstream, as far as I am aware. I'm not sure if other distros support
> disabling and enabling this feature using this mechanism.
> 
>   https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
> 
> live well,

and as virtuously as you are able ... so that spies can't help but admire and reflect :)

Toggle quote (2 lines)

> vagrant

Another data point FYI:

On my pureos system, which is based on debian upstream:

uname -a

=-> Linux LionPure 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux

and

ls -l /proc/sys/kernel/unprivileged_userns_clone

-rw-r--r-- 1 root root 0 Dec 8 03:03 /proc/sys/kernel/unprivileged_userns_clone

and (noticing that the items appear to be short and ascii lines, hence thereupon head :)

Toggle snippet (8 lines)

od -a -t x1 /proc/sys/kernel/unprivileged_userns_clone

0000000 0 nl

30 0a

0000002

head /proc/sys/kernel/unprivileged_userns_clone

Not sure this tells you anything useful, but there is also:

Toggle snippet (29 lines)

head /proc/sys/user/*

==> /proc/sys/user/max_cgroup_namespaces <==

128163

==> /proc/sys/user/max_inotify_instances <==

128

==> /proc/sys/user/max_inotify_watches <==

65536

==> /proc/sys/user/max_ipc_namespaces <==

128163

==> /proc/sys/user/max_mnt_namespaces <==

128163

==> /proc/sys/user/max_net_namespaces <==

128163

==> /proc/sys/user/max_pid_namespaces <==

128163

==> /proc/sys/user/max_user_namespaces <==

128163

==> /proc/sys/user/max_uts_namespaces <==

128163

HTH some way :)
-- 
Regards,
Bengt Richter

Pierre Neidhardt wrote on 4 Jan 2021 10:11

Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Recipients:

Message-ID:87mtxpm5gi.fsf@ambrevar.xyz

This issue seems to be gone for me with kernel 5.10.x.
I guess it was a kernel bug then.

-- 
Pierre Neidhardt
https://ambrevar.xyz/

raingloom wrote on 6 Jan 2021 11:49

Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Recipients:(name . yasu)(address . yasu@yasuaki.com)

Message-ID:20210106114956.0d4027e8@riseup.net

On Mon, 07 Dec 2020 05:51:05 +0900

yasu <yasu@yasuaki.com> wrote:

Toggle quote (9 lines)

> Hi Zimoun,

> I tried as you suggested but it didn't work...

> root@guix ~# echo "kernel.unprivileged_userns_clone = 1" >

> /etc/sysctl.d/local.conf

> -bash: /etc/sysctl.d/local.conf: No such file or directory

This could mean you have to create the sysctl.d directory.
Try running this:
```
# mkdir -p /etc/sysctl.d/
# echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf
```

Your comment

This issue is archived.

To comment on this conversation send an email to 45069@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 45069

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date