Received: by 10.223.185.116 with SMTP id b49csp243345wrg; Tue, 13 Feb 2018 20:55:43 -0800 (PST) X-Google-Smtp-Source: AH8x227vOpaZcpKcE4/OsuRb3K/6QQyYafvPk+NpRh9xMRRXpwwYCG4AOM/EBhdytCnaJ0XgXqMQ X-Received: by 2002:a17:902:243:: with SMTP id 61-v6mr3264730plc.202.1518584143771; Tue, 13 Feb 2018 20:55:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518584143; cv=none; d=google.com; s=arc-20160816; b=D1maB3upb9UWDiLYC2luJgRTezRK5dy0/AI6g+t3glkrp68Ddtg618pdUPLFca5zvc hg49F0OsRTcNFCvyMnMRVz+2NV/AqyMlWtod3NCAqc0jByMDzE8oKSYizxNU6KkGBMCw hVWHi5tYsbqcR0WH6KZ3miHLEnYCsn6gto9M37lXgux30mhgxBmXiNGTabnmtChqwofL 5V01CxWpRR6pRXYLIp/FaE9UIWGLW9kFSu3kdP/ASzURhpUYtheQrdG4oBibmEe9G56M blk/uk1gxqOBgGZnllsr+OfUNw9ff7X2tWQFrhMsQmZp5dX/EYmh7LA4515VH6gUMwSI RWlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=Zi3/g/0dxsFT0eVEMyvtafWqjV+BJ0v3DwrxGgyARQg=; b=SSFJv4Q7Na7bzv5c2w8xyLPRg2TWHTKESonhWYKZVWpd//2BG8lZN4vBOCZlOLUlhx hec9CYgoxPs0CVyZvdGXoOzRBdHBQ0T9GCZQ7jpAunSiJ4Hp9gRvNeBUHtCmkzxhoFLy /pM1Ktp0mZfO2fz+QWHtKSmvP/4avDXjTPIF/H/c7PR3JLDw/DmEDaL1PjM+ikk3P09w b6tkMfL5FWgvIA7ioFmMKTzAVv3ar/3v/h2o/14xkEoiIQNCjI4t287LsX3UChgBj6fG IYI70IXdH2OO1GLHSS7n3ON8APOX4cuDsjBrBjc8O5vAyGz+txYwnNV3jR7c9kzKd9Vq ptXw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i72si2163202pgd.576.2018.02.13.20.55.29; Tue, 13 Feb 2018 20:55:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966867AbeBNEyu (ORCPT + 99 others); Tue, 13 Feb 2018 23:54:50 -0500 Received: from mx2.suse.de ([195.135.220.15]:36530 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966813AbeBNEyu (ORCPT ); Tue, 13 Feb 2018 23:54:50 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id B0F02AC42; Wed, 14 Feb 2018 04:54:48 +0000 (UTC) Date: Wed, 14 Feb 2018 15:54:42 +1100 From: Aleksa Sarai To: Enrico Weigelt Cc: "linux-kernel@vger.kernel.org" , Linux Containers Subject: Re: plan9 semantics on Linux - mount namespaces Message-ID: <20180214045442.jyv6zpbwz5glzi4z@gordon> References: <0f058286-a432-379b-f559-f2fe713807ab@metux.net> <5633d335-3926-d98f-d6d7-948b1e2a0b2c@metux.net> <20180213222751.p3fyg7whg6jqlzz5@gordon> <39b08c53-3449-3164-c1b1-44ac587dd4ea@metux.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mk7kxfbcygvibxyh" Content-Disposition: inline In-Reply-To: <39b08c53-3449-3164-c1b1-44ac587dd4ea@metux.net> User-Agent: NeoMutt/20170912 (1.9.0) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --mk7kxfbcygvibxyh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-02-14, Enrico Weigelt wrote: > On 13.02.2018 22:27, Aleksa Sarai wrote: >=20 > > You can do this by creating a new user namespace (CLONE_NEWUSER), which > > then gives you the required permissions to create other namespaces > > (CLONE_NEWNS). This is how "rootless containers" or unprivileged > > containers operate. >=20 > hmm, unshare -U doesn't work for me (even as root). But docker works, > so user namespaces should be working. Any idea what could be wrong ? It depends how old your kernel is and what distro you use. Arch Linux disables user namespaces entirely, Debian requires that you set a sysctl to enable unprivileged user namespaces, and RHEL requires you to set both a sysctl and a kernel boot-flag. Also check how old your kernel is (unprivileged user namespace support was added in 3.8). Also Docker doesn't use user namespaces by default (you need to manually enable it with --userns-remap, check the docs for more details). You probably also want to be using "unshare -r" in your testing (as "unshare -U" will leave you without mapped users). --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --mk7kxfbcygvibxyh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlqDwQ8ACgkQnhiqJn3b jbQCsw//XLK86wSs95l94TQCrztf8nUpjflSLgZKt+p+IdwOhvf4GaQoFA68cIV5 QPARksiYj1WGXacwL8Ajw+ZtCUzVQcHV5iAh1wu/Ep5KjEjJGegFDiwW0MmMp4w9 qkxUwak8T5ZVu0K8CBrl/LAuCJE62udau+Z1Xu2kN8MMrN6DT3M3M9QFRXSs/Lrz 1P0OTRvuK4ifNKePF7j0aZ3Ts7HUvgEgRGQ7gI5Lpr8Zwe9vNeq+Rl3pHkERt9sR bbPA84xClI1JSxOTVhrNvTYoQuq6Hg5106vLSlJaGOxRRzLKF+60hLK6LgJuQuY/ PJ9ky7Iu6CrBYueHegdwly6m2H7AHwP9uNtIJ9gpfmLtuF4xI14L/rhjbS+SGikM 0ESDe3NcS4gnN9PyWv8ieynzsne6jdVZ7S4tYYC+V0CFKZxeJhYx7AxPbHtSaqDV tCKEnxrN6Oyk8R9KPCGNPhkvoOc4Gx8suQOlto9wThZWs0XjvjaR7WstJ7183aSd 2zNk8OgNh7AM9keQUMGPncMmpqNnB13CabzBm4sVfhXkuuPO4/XDbR7an0F23esl 2wzq2xNrbwE3BcfxmvgsU3wOq1XBfxILJB4hfZzAomycVhbXfb45UoQhjXSC3Xzm sj3ZHFkFCLE/+1gUkGtITcWJb77h82dDLAeTR8LIrfki3iNaaAQ= =9bBi -----END PGP SIGNATURE----- --mk7kxfbcygvibxyh--