New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings (Linux) #29789

Open
stapelberg opened this Issue Jan 17, 2019 · 4 comments

Comments

Projects
None yet
3 participants
@stapelberg
Copy link
Contributor

stapelberg commented Jan 17, 2019

What version of Go are you using (go version)?

$ go version
go version devel +006a5e7d00 Thu Jan 17 01:28:22 2019 +0000 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/stapelberg/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/usr/local/google/home/stapelberg/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/google/home/stapelberg/upstream-go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/google/home/stapelberg/upstream-go/pkg/tool/linux_amd64"
GCCGO="/usr/bin/gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build406535096=/tmp/go-build -gno-record-gcc-switches"

What did you do?

https://play.golang.org/p/CiH9UtCuYzQ demonstrates what I’m trying to do in two ways: once with unshare(1), which is working, and once purely in Go, where the process hangs (!):

	cmd.SysProcAttr = &syscall.SysProcAttr{
		Unshareflags:               unix.CLONE_NEWNS | unix.CLONE_NEWUSER,
		GidMappingsEnableSetgroups: false,
		UidMappings: []syscall.SysProcIDMap{
			{
				ContainerID: 0,
				HostID:      syscall.Getuid(),
				Size:        1,
			},
		},
		GidMappings: []syscall.SysProcIDMap{
			{
				ContainerID: 0,
				HostID:      syscall.Getgid(),
				Size:        1,
			},
		},
	}

(Relevant code snippet pasted for discoverability of this issue.)

Even after fixing the hang, the uid/gid mapping fails with EPERM, because Go tries to apply them from the parent process, but they need to be applied in the child, after unshare(2).

I’ve sent https://go-review.googlesource.com/c/go/+/158297/1 and https://go-review.googlesource.com/c/go/+/158298 to fix this.

@bradfitz

This comment has been minimized.

Copy link
Member

bradfitz commented Jan 17, 2019

Does this issue reproduce with the latest release?
Yes.

Do you mean Go 1.11 or Go 1.12beta2?

If this isn't a regression from Go 1.11, then this is Go 1.13 material.

@gopherbot

This comment has been minimized.

Copy link

gopherbot commented Jan 17, 2019

Change https://golang.org/cl/158297 mentions this issue: Fix hang when using Unshareflags: CLONE_NEWUSER with uid/gid mapping

@bradfitz bradfitz added this to the Go1.13 milestone Jan 17, 2019

@gopherbot

This comment has been minimized.

Copy link

gopherbot commented Jan 17, 2019

Change https://golang.org/cl/158298 mentions this issue: Correctly set up uid/gid mappings in user namespaces

@bradfitz bradfitz changed the title os/exec: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings syscall: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings (Linux) Jan 17, 2019

@stapelberg

This comment has been minimized.

Copy link
Contributor Author

stapelberg commented Jan 17, 2019

Do you mean Go 1.11 or Go 1.12beta2?

If this isn't a regression from Go 1.11, then this is Go 1.13 material.

This issue is reproducible with Go 1.11.4, Go 1.12beta2 and tip.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment