Matthew Parkinson

Hi @ctalledo, > I am thinking we could leverage your technique in that script too. Sounds good. --- I recently noticed that one of our 'docker cp' scenarios operates on...

Also noticed the following vulnerability can be mitigated by disabling unprivileged user namespaces. - https://coder.com/blog/statement-on-the-recent-cve-2022-0185-vulnerability - https://ubuntu.com/security/CVE-2022-0185 `sysctl -w kernel.unprivileged_userns_clone=0` Am assuming the Sysbox error encountered above relates to attempting...

Found the following reference in the Sysbox user guide. - https://github.com/nestybox/sysbox/blob/release_v0.6.3/docs/user-guide/troubleshoot.md#unprivileged-user-namespace-creation-error Along with the following fix. `sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"` This appears to allow the vulnerability identified...

Hi @ctalledo, Thanks, here are the contents of `/proc/sys/kernel` for the 6.5.21 passing case. **6.5.21**  The 6.6.17 failing case removes the following from `/proc/sys/kernel`. - apparmor_restrict_unprivileged_io_uring - apparmor_restrict_unprivileged_unconfined -...

thanks @ctalledo. > Also, in the newer kernels, do you see `/proc/sys/user/max_user_namespaces`? yes ... this is present in all of the newer kernels ... 6.6.21, 6.7.9 and 6.8-rc7

Hi Rodny, Thanks, I've attached an strace of the bash process attempting to do the nix installation. [nix_install_strace.txt.gz](https://github.com/nestybox/sysbox/files/10127336/nix_install_strace.txt.gz)

Hi Rodny, Thanks, I also now have this working with kernel 5.15. os=ubuntu 20.04.5, kernel=5.15.0-46-generic, docker=20.10.21, sysbox=0.5.2 EE > root@sandboxparkinsonm:/# docker run nixos/nix nix --version nix (Nix) 2.11.1 Next step,...

Under kernel 5.15, and within a system container sandbox. Attempting the docker installation technique. > docker 20.10.8 reproduces the issue docker 20.10.21 works fine Attempting the first installation technique. >...