GNU bug report logs - #45069
BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces

Previous Next

Package: guix;

Reported by: yasu <yasu <at> yasuaki.com>

Date: Sun, 6 Dec 2020 12:42:02 UTC

Severity: normal

Merged with 45066

Done: Marius Bakke <marius <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #19 received at submit <at> debbugs.gnu.org (full text, mbox):

From: yasu <yasu <at> yasuaki.com>
To: zimoun <zimon.toutoune <at> gmail.com>, bug-guix <at> gnu.org, 
 pgarlick <at> tourbillion-technology.com, Pjotr Prins <pjotr.public12 <at> thebird.nl>
Cc: Guix Devel <guix-devel <at> gnu.org>
Subject: Re: BUG: Re: guix environment: error: cannot create container:
 unprivileged user cannot create user namespaces
Date: Mon, 07 Dec 2020 05:51:05 +0900

Hi Zimoun,

I tried as you suggested but it didn't work...


   root <at> guix ~# echo "kernel.unprivileged_userns_clone = 1" >
   /etc/sysctl.d/local.conf
   -bash: /etc/sysctl.d/local.conf: No such file or directory
   root <at> guix ~# sysctl --system
   root <at> guix ~# logout
   ~$ guix environment -C
   guix environment: error: cannot create container: unprivileged user
   cannot create user namespaces
   guix environment: error: please set
   /proc/sys/kernel/unprivileged_userns_clone to "1"


Now, if this posting were to be belived, I think this term
   kernel.unprivileged_userns_clone

   is specific to Debian Linux, and does not exist outside of that circle.
       
   It disables a bit of "hardening" that Debian patches into their 
   distribution kernel. If you're not running such a kernel, it will
   fail 
   and not do anything, as such a setting doesn't even exist in the
   mainline Linux kernel.

    
   I wonder how this term came in to Guix in the first place?

   -Yasu


   On Sun, 2020-12-06 at 17:56 +0100, zimoun wrote:
   > Hi,
> 
> Please try the recommendation. Have you tried it?
> 
>   please set /proc/sys/kernel/unprivileged_userns_clone to "1"
> 
> As root, you just do:
> 
>   echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> 
> then “guix environment -C” should work as expected.  To do the trick
> automatically with Sheperd, I do not know, but I am sure that the
> systemd equivalent 
> 
>   echo "kernel.unprivileged_userns_clone = 1" >
> /etc/sysctl.d/local.conf
>   sysctl --system
> 
> seems doable with Guix System.
> 
> 
> On my system, and I need explanations if it does not work similarly
> on
> yours, I simply do:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix environment -C --ad-hoc hello -- hello 
> guix environment: error: cannot create container: unprivileged user
> cannot create user namespaces
> guix environment: error: please set
> /proc/sys/kernel/unprivileged_userns_clone to "1"
> 
> $ su -
> Password:
> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone 
> # logout
> 
> $ guix environment -C --ad-hoc hello -- hello 
> Hello, world!
> --8<---------------cut here---------------end--------------->8---
> 
> Hope that helps,
> simon
This bug report was last modified 4 years and 136 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.