nix-user-chroot icon indicating copy to clipboard operation
nix-user-chroot copied to clipboard

Published 20 hours ago verified publisher icon lethalman

`unshare(): Invalid argument` on Arch Linux

Open atondwal opened this issue 7 years ago • 8 comments 

$ nix-user-chroot ~/.nix bash
unshare(): Invalid argument

This can also be reproduced with docker:

docker run atondwal/nix-user-chroot

(The docker image was created with:

FROM base/archlinux
RUN pacman -Sy git make gcc --noconfirm &&\
  pacman -Scc --noconfirm &&\
  rm -rf /var/cache/pacman/pkg/*
RUN git clone https://github.com/lethalman/nix-user-chroot.git &&\
  cd nix-user-chroot &&\
  make &&\
  mkdir -m 0755 ~/.nix
CMD ./nix-user-chroot/nix-user-chroot ~/.nix bash

)

atondwal avatar Oct 01 '17 18:10 atondwal

I guess you need to give docker somehow more privileged permissions... or perhaps it might not work at all inside another container.

lucabrunox avatar Oct 03 '17 12:10 lucabrunox

The problem isn't docker; I get the same problem on bare metal . I just dockerized it to make it easy to reproduce.

On Oct 3, 2017 05:59, "Luca Bruno" [email protected] wrote:

I guess you need to give docker somehow more privileged permissions... or perhaps it might not work at all inside another container.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lethalman/nix-user-chroot/issues/9#issuecomment-333833723, or mute the thread https://github.com/notifications/unsubscribe-auth/AAU8COOXR1HGsZodx1qZLumWi9rrq3T1ks5soi-6gaJpZM4Pp-ZX .

atondwal avatar Oct 03 '17 17:10 atondwal

@atondwal, is it possible that this issue is caused by not having a kernel with support for userspaces as described in the README.md? You can use uname -a to show the kernel version, it should be >=3.8.0.

kalebo avatar Feb 01 '18 18:02 kalebo

I'm getting the same issue on a 64-bit CentOS 7 box with kernel 3.10.0-693.

Rovanion avatar Feb 02 '18 09:02 Rovanion

Had the same issue on arch.., It's because the arch-kernel has user namespaces disabled for security reasons (?) you might need to use a custom kernel which has said module enabled

ysndr avatar Mar 20 '18 22:03 ysndr

I am seeing the same issue on RHEL 7.4. Output of commands from Nix wiki:

$ unshare --user --pid echo YES
unshare: unshare failed: Invalid argument
$ unshare --user echo YES
unshare: unshare failed: Invalid argument
$ unshare --pid echo YES
unshare: unshare failed: Operation not permitted
$ unshare echo YES
YES
$ grep CONFIG_USER_NS /boot/config-$(uname -r)
CONFIG_USER_NS=y

dniku avatar Jan 21 '19 14:01 dniku

You cannot use usernamespaces as unprivileged user on either Archlinux, Centos, Redhat or Fedora. They don't allow it in their kernel. You will need to recompile the kernels on those machines. This issue can be closed.

Mic92 avatar Feb 11 '19 01:02 Mic92

This actually does work in RedHat / CentOS 7.4, but there are two steps:

  1. Enable the grub kernel boot parameter user_namespace.enabled=1
  2. Increase the maximum number of namespaces allowed from the default of 0: # echo 15000 > /proc/sys/user/max_user_namespaces

If you do both of these things, then it'll work:

$ uname -sr
Linux 3.10.0-693.1.1.el7.x86_64

$ unshare --user --pid echo YES
YES
$ unshare --user echo YES
YES
$ unshare echo YES
YES

bhipple avatar Feb 16 '19 18:02 bhipple