Can't unshare mount namespace centos 7.3

Brian_McQueen · June 2, 2019, 12:02am

I need a workaround. Trying to get unprivileged containers going on RH7. I’ve already tried all suggestions I can find, but it looks like they work a few kernel revs after mine. Here’s the best I could find: (best link which is actually from this board) I’m stuck at specific version for a big-corporation amount of time. I’ve got the kernel flags in, still can’t unshare! I need to get around this without patching the kernel. Any suggestions?

> cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-3.10.0-514.55.4.el7.x86_64 root=UUID=ugly ro crashkernel=auto rhgb quiet user_namespace.enable=1 namespace.unpriv_enable=1
> unshare -m sh
unshare: unshare failed: Operation not permitted
> #stuck

stgraber · June 2, 2019, 3:17pm

There are kernel sysctls to set quotas on the number of the various namspaces, maybe your system is somehow configured to only allow a single mount namespace?

Also, are you running those commands as root? If run as a user, you won’t be able to unshare a mount namespace without unsharing a user namespace first.

Brian_McQueen · June 2, 2019, 4:50pm

That second tip is a good lesson. This bit, “you won’t be able to unshare a mount namespace without unsharing a user namespace first”.

Still not working, but its good to know that concept.

tomp · June 3, 2019, 11:33am

You have user namespace enabled in kernel boot line, which is good.

user_namespace.enable=1

Try running also:

sysctl user.max_user_namespaces=10000

brauner · June 3, 2019, 2:00pm

We’ve had that question quite a bit and I tracked down all the necessary bits and pieces once:

@stgraber also posted here:

Brian_McQueen · June 4, 2019, 4:02am

That (sysctl user.max_user_namespaces=10000) gives the surprising

sysctl: cannot stat /proc/sys/user/max_user_namespaces: No such file or directory

Its not in /proc! Its like my kernel is some tiny step below compatibility.

I do have both of the recommended kernel flags in place. Its shown at the top of the thread.

tomp · June 4, 2019, 7:41am

It looks like those sysctls didn’t appear until RHEL 7.4

So I would suggest you upgrade beyond 7.3 and try it again.

Brian_McQueen · June 4, 2019, 2:16pm

Yea that’s what I’m guessing, but that stinks for my project. At corporate velocities this is an unknown delay. I’m thinking of getting some POC going in VMs just to get it done.