Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

userns + netns = operation not permitted #771

Closed
papey opened this issue Apr 22, 2016 · 2 comments
Closed

userns + netns = operation not permitted #771

papey opened this issue Apr 22, 2016 · 2 comments

Comments

@papey
Copy link

papey commented Apr 22, 2016
edited
Loading

Adding netns support to containers fails due to userns.

Basic userns container

Host side

Using a userns user

id
uid=1003(userns) gid=1003(userns) groups=1003(userns)

According to this issue #252, all files listed bellow are owned by userns:userns

tree -L 2 test/
test/
├── data
│   └── hello
└── userns
    ├── config.json
    └── rootfs

Config file

{
        "ociVersion": "0.5.0",
        "platform": {
                "os": "linux",
                "arch": "amd64"
        },
        "process": {
                "terminal": true,
                "user": {},
                "args": [
                        "sh"
                ],
                "env": [
                        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                        "TERM=xterm"
                ],
                "cwd": "/",
                "capabilities": [
                        "CAP_AUDIT_WRITE",
                        "CAP_KILL",
                        "CAP_NET_BIND_SERVICE"
                ],
                "rlimits": [
                        {
                                "type": "RLIMIT_NOFILE",
                                "hard": 1024,
                                "soft": 1024
                        }
                ],
                "noNewPrivileges": true
        },
        "root": {
                "path": "rootfs",
                "readonly": true
        },
        "hostname": "runc",
        "mounts": [
                {
                        "destination": "/data",
                        "type": "bind",
                        "source": "/tmp/test/data",
                        "options": ["rbind","rw"]
                },
                {
                        "destination": "/proc",
                        "type": "proc",
                        "source": "proc"
                },
                {
                        "destination": "/dev",
                        "type": "tmpfs",
                        "source": "tmpfs",
                        "options": [
                                "nosuid",
                                "strictatime",
                                "mode=755",
                                "size=65536k"
                        ]
                },
                {
                        "destination": "/dev/pts",
                        "type": "devpts",
                        "source": "devpts",
                        "options": [
                                "nosuid",
                                "noexec",
                                "newinstance",
                                "ptmxmode=0666",
                                "mode=0620",
                                "gid=5"
                        ]
                },
                {
                        "destination": "/dev/shm",
                        "type": "tmpfs",
                        "source": "shm",
                        "options": [
                                "nosuid",
                                "noexec",
                                "nodev",
                                "mode=1777",
                                "size=65536k"
                        ]
                },
                {
                        "destination": "/dev/mqueue",
                        "type": "mqueue",
                        "source": "mqueue",
                        "options": [
                                "nosuid",
                                "noexec",
                                "nodev"
                        ]
                },
                {
                        "destination": "/sys",
                        "type": "sysfs",
                        "source": "sysfs",
                        "options": [
                                "nosuid",
                                "noexec",
                                "nodev",
                                "ro"
                        ]
                },
                {
                        "destination": "/sys/fs/cgroup",
                        "type": "cgroup",
                        "source": "cgroup",
                        "options": [
                                "nosuid",
                                "noexec",
                                "nodev",
                                "relatime",
                                "ro"
                        ]
                }
        ],
        "hooks": {},
        "linux": {
                "uidMappings": [
                        {
                                "hostID": 1003,
                                "containerID": 0,
                                "size": 10
                        }
                ],
                "gidMappings": [
                        {
                                "hostID": 1003,
                                "containerID": 0,
                                "size": 10
                        }
                ],
                "resources": {
                        "devices": [
                                {
                                        "allow": false,
                                        "access": "rwm"
                                }
                        ]
                },
                "namespaces": [
                        {
                                "type": "pid"
                        },
                        {
                                "type": "network"
                        },
                        {
                                "type": "user"
                        },
                        {
                                "type": "ipc"
                        },
                        {
                                "type": "uts"
                        },
                        {
                                "type": "mount"
                        }
                ],
                "maskedPaths": [
                        "/proc/kcore",
                        "/proc/latency_stats",
                        "/proc/timer_stats",
                        "/proc/sched_debug"
                ],
                "readonlyPaths": [
                        "/proc/asound",
                        "/proc/bus",
                        "/proc/fs",
                        "/proc/irq",
                        "/proc/sys",
                        "/proc/sysrq-trigger"
                ]
        }
}

Container side

LGTM, no running errors, I can read/write in the bind mounted data folder.

Adding netns support to this container

Host side

Create a simple network namespace using ip : ip netns add userns. This command spwan a network namespace handler in /var/run/netns/userns (#37 for netns information)

Tell runc to use this handler

                        {
                                "type": "network",
                                "path": "/var/run/netns/userns"
                        },

runc start command now fails with this error

runc start test
operation not permitted
@wking
Copy link
Contributor

wking commented Apr 22, 2016

On Fri, Apr 22, 2016 at 02:34:01AM -0700, Wilfried OLLIVIER wrote:

Create a simple network namespace using ip : ip netns add userns. This command spwan a network namespace handler in
/var/run/netns/userns

Tell runc to use this handler

                        {
                                "type": "network",
                                "path": "/var/run/netns/userns"
                        },

runc start command now fails with this error

runc start test
operation not permitted

The network namespace you created belongs to the host user namespace,
so your unprivileged user can't join it. What you want to do is have
the unprivileged user create both the user namespace and the network
namespace (either in the same clone(2) call, or from within the user
namespace). For a not-quite-OCI example of unprivileged network
namespaces, see 1. And for one way to connect that to the host
network namespace using a privileged host user, see 2.

@papey
Copy link
Author

papey commented Apr 27, 2016

Thx, it works if I used the netns created by the container.

@papey papey closed this as completed Apr 27, 2016
@geverartsdev geverartsdev mentioned this issue Feb 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wking @papey