-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing examples / tests for --userns2 option #542
Comments
Reason:
You need to pass a different userns to --userns2 that is a child of --userns because:
|
Can you please give an example, I also found most of that information, but it is not clear how I find or pass the child to the first namespace, since they are either effectively the same pid or the nested namespace belongs to pid 1 Would it be like /proc/80157/root/proc/80157/ns/user? |
I don't have an (full, working) example. But I'm questing whether you understood user namespaces and nesting of them.
edit: This was the reason for two user namespaces: Lines 3008 to 3011 in bb7ac13
|
I think I mostly understands it, but correct me if I don't make sense
bwrap --unshare-user --dev-bind / / --tmpfs /tmp /bin/bash
For example lsns on the host says this
And inside the example shell
I'm sorry it is correct that the namespace doesn't belong to a process, is it correct to say that the process has attached namespaces? |
Finally I have a ugly, working PoC run in first terminal: unshare --map-root-user --fork sh -c "echo \$\$ >/tmp/pid1 && unshare -U --fork sh -c \"echo \\\$\\\$ >/tmp/pid2 && sleep 10m && true\" && true" run in second terminal: bwrap --userns 3 3</proc/$(cat /tmp/pid1)/ns/user --userns2 4 4</proc/$(cat /tmp/pid2)/ns/user --dev-bind / / ls
The manpages describes it as
At this point an fd to --userns userns is only reachable via ioctl I guess? |
Great PoC I guess that answers how to use the option But is it possible to use it with the example I made? As far as I can tell bubblewrap also creates me an nested namespace from that, is it fundamentally different? Can I not get the intermediate pid from the host?
I don't know, can it not be reachable from procfs? |
If you share the pidns there is no intermediate pid, because there is no need to fork twice.
I don't know a way since we do not know a process in this userns (direct member). |
Would it be possible with this example when I also unshare the pidns? bwrap --unshare-user --unshare-pid --dev-bind / / --proc /proc --tmpfs /run --tmpfs /tmp /bin/bash |
About this part:
I think that this is what the example/test should show how to do, how to enter it when using bubblewrap and not the unshare program You also said that there is no intermediate pid when you share the pidns, as it doesn't fork twice. I'm not fully following this, does it mean that my first example does not create a nested user namespace at all? Or just one that I can't see in anyway? Does it mean my latest example from the post above is creating it but that I still can't access it? When and how is it possible to use userns2 with bubblewrap as initiator as the commit message suggests? |
Trying to get a grasp on the nested namespaces and how to enter those with --userns2
There are no examples or tests I can find
For example when I run
I believe this creates a nested user namespace, I can see a complete namespace set (time,cgroup,uts,ipc,net,user,mnt,pid) using lsns
while if I do lsns on the host there are only 2 namespaces for the process (user,mnt)
How can I make this work?
I tried with
but results in this error
What should I feed into the file descriptor here?
I'm also wondering about this text in the bwrap manual about the option
Can anyone fully explain how this works, when bubblewrap creates nested namespaces and when it doesn't?
What are the kernel issues that are worked around? any upstream mailing list conversations about it?
The text was updated successfully, but these errors were encountered: