Unable to create user namespace in RHEL

linux rhel docker namespace
5,399

If one uses strace to inspect the command

$ strace -o logf -f unshare -U sh
unshare: unshare failed: Invalid argument
$ grep 'Invalid argument' logf
31728 unshare(CLONE_NEWUSER)            = -1 EINVAL (Invalid argument)
31728 write(2, "Invalid argument\n", 17) = 17

this reveals that the system call unshare(2) has failed. Notably CLONE_NEWUSER does not appear in the manual page, which could be a documentation bug or could indicate that CLONE_NEWUSER is not supported on a stock install of RedHat 7 (I'm using Centos7 here on a test system, which is similar to but different from RedHat 7).

$ man 2 unshare | col -b | grep CLONE_NEWUSER
$

This is strange; altagoobingleduckgoing the terms unshare and CLONE_NEWUSER yields questions about unshare(CLONE_NEWUSER) though from that CONFIG_USER_NS is apparently enabled on Centos 7:

$ grep CONFIG_USER_NS /boot/config-$(uname -r)
CONFIG_USER_NS=y

Yet more altagoobingleduckgoing turns up an lxc thread that indicates that "Currently user namespaces are in TECH PREVIEW phase" (as of RedHat 7.2) so may or may not work. Adding user_namespace.enable=1 to the kernel arguments did not help on my Centos 7.5 system (and is not necessary in testing, below). The Kernel features page however lists user namespaces as supported; Filipe Brandenburger found is it safe to enable user namespaces which indicates that by default RedHat 7 enables 0 namespaces for users, though this number can be increased:

# cat /proc/sys/user/max_user_namespaces
0
# echo 640 > /proc/sys/user/max_user_namespaces
# unshare -U sh
sh-4.2$

So increasing max_user_namespaces on Centos 7.5 works, and does not require the user_namespace.enable=1 kernel flag.

Even more reading:

https://rhelblog.redhat.com/2015/07/07/whats-next-for-containers-user-namespaces/

Share:
5,399

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    I'm trying to create user namespace in RHEL 7 but unable to because of the below error:

    [root@teja7131 ~]# unshare -U /bin/bash
unshare: unshare failed: Invalid argument

    Please explain the correct argument format for creating the user namespace.

  • filbranden
    filbranden over 5 years
    See also superuser.com/a/1294246/879179, perhaps you need to tweak /proc/sys/user/max_user_namespaces as well on recent RHEL 7 kernels.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot install docker in a RHEL server
Docker container exited with exit code 2 "sh can't open 'start_script.sh': No such file or directory"
Can't open lib 'ODBC Driver 17 for SQL Server' : file not found
nslookup reported "can't resolve '(null)': Name does not resolve" though it successfully resolved the DNS names
Why is crond failing to run a non-root crontab on alpine linux?
docker - change default login user
How to remount the /proc filesystem in a docker as a r/w system?
how to install yum package on linux RHEL 4?
Set docker image username at container creation time?
Error while loading shared libraries: libssl.so.10: cannot open shared object file in Docker