bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard

Published 20 hours ago verified publisher icon containers

`bwrap: unshare user ns: No space left on device`

Open TheEvilSkeleton opened this issue 3 years ago • 3 comments

Hi,

I recently wrote a bwrap script for Firefox in bash. However, whenever I try to launch it like a normal script or binary, I get the following error:

bwrap: unshare user ns: No space left on device

This issue is only reproducible on my laptop apparently. The script ran without a problem on my desktop. Both systems use Fedora Silverblue 35.

I don't know if it's a hardware issue, so I am sharing my laptop's and desktop's specs:

  • laptop: https://linux-hardware.org/?probe=d136f5d8f7
  • desktop: https://linux-hardware.org/?probe=ad0a5b8c83

(Just to be clear, these are old hardware probes, but the specs are the same.)

I wasn't able to retrieve any logs because I couldn't find a --verbose flag.

I came across https://github.com/containers/bubblewrap/issues/371. I checked max_user_namespaces and I have the following:

[root@TheMainLaptop ~]# cat /proc/sys/user/max_user_namespaces 
28906

Also, I didn't run the script as root.

TheEvilSkeleton avatar Dec 05 '21 06:12 TheEvilSkeleton

I don't know if it's a hardware issue

I doubt it. Everything involving unshare() should be purely software, except that some limits will scale with the amount of RAM you have.

smcv avatar Dec 05 '21 11:12 smcv

This is ENOSPC, documented in unshare(2) as:

       ENOSPC (since Linux 3.7)
              CLONE_NEWPID  was  specified  in  flags,  but the limit on the
              nesting depth of PID namespaces would have been exceeded;  see
              pid_namespaces(7).

       ENOSPC (since Linux 4.9; beforehand EUSERS)
              CLONE_NEWUSER was specified in flags, and the call would cause
              the limit on the number of nested user namespaces  to  be  ex‐
              ceeded.  See user_namespaces(7).

              From Linux 3.11 to Linux 4.8, the error diagnosed in this case
              was EUSERS.

       ENOSPC (since Linux 4.9)
              One of the values in flags specified the  creation  of  a  new
              user  namespace,  but doing so would have caused the limit de‐
              fined by the corresponding file in /proc/sys/user  to  be  ex‐
              ceeded.  For further details, see namespaces(7).

smcv avatar Dec 05 '21 11:12 smcv

I see. Is there a solution to this? I took a look at pid_namespaces(7) and user_namespaces(7) but the description was too technical for me.

TheEvilSkeleton avatar Dec 06 '21 15:12 TheEvilSkeleton