Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot run container in existing user namespace #101

Closed
vishvananda opened this issue Jul 8, 2015 · 5 comments
Closed

Cannot run container in existing user namespace #101

vishvananda opened this issue Jul 8, 2015 · 5 comments
Milestone
post-1.0

Comments

@vishvananda
Copy link

Attempting to run a container in an existing user namespace simply ignores the path value and creates a new user namespace:

{
    "version": "pre-draft",
    "platform": {
        "os": "linux",
        "arch": "amd64"
    },
    "process": {
        "terminal": true,
        "args": [
            "/bin/bash"
        ]
    },
    "linux": {
        "uidMappings": [
            {
                "from": 0,
                "to": 1000,
                "count": 1
            }
        ],
        "gidMappings": [
            {
                "from": 0,
                "to": 1000,
                "count": 1
            }
        ],
        "namespaces": [
            {
                "type": "user",
                "path": "/proc/8660/ns/user"
            }
        ]
    }
}
$ sudo ls -lah /proc/$$/ns/user
lrwxrwxrwx 1 vishvananda vishvananda 0 Jul  7 06:06 /proc/38377/ns/user -> user:[4026531837]
$ sudo ls -lah /proc/8660/ns/user
lrwxrwxrwx 1 root root 0 Jul  8 00:05 /proc/8660/ns/user -> user:[4026532754]
$ sudo ls -lah /proc/14833/ns/user
lrwxrwxrwx 1 vishvananda vishvananda 0 Jul  8 01:14 /proc/14833/ns/user -> user:[4026532751]

It looks like the code will need some modification because you can't join an existing user namespace once you are in multithreaded code.
@vishvananda
Copy link
Author

It looks like docker-archive/libcontainer#609 will handle this, but in needs to be ported over

@mrunalp
Copy link
Contributor

mrunalp commented Jul 8, 2015

@dqminh did mention that he is going to port it soon.

@vishvananda
Copy link
Author

My goal here is really for shared network namespaces between containers that use user namespaces. @LK4D4 mentioned that it is possible to join the network namespace before unsharing the user namespace which would also be an acceptable solution for my use case.

@dqminh dqminh mentioned this issue Jul 9, 2015
Closed
@ashahab-altiscale ashahab-altiscale mentioned this issue Jan 12, 2016
Open
@crosbymichael crosbymichael modified the milestone: 0.1.0 Feb 18, 2016
@cyphar cyphar modified the milestones: 0.1.0, 0.2.0 May 9, 2016
@crosbymichael crosbymichael modified the milestones: 1.1.0, 1.0.0 Jun 1, 2016
@estesp
Copy link
Contributor

estesp commented Aug 16, 2016

This works properly now (as of awhile ago after the rewrite of nsexec.c and the join code); should this issue be closed?

@hqhq
Copy link
Contributor

hqhq commented Aug 27, 2016

@estesp Thanks for confirming, closing.

@hqhq hqhq closed this as completed Aug 27, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
post-1.0
Development

No branches or pull requests
6 participants
@mrunalp @vishvananda @crosbymichael @estesp @cyphar @hqhq