User namespaces cause permission error with go1.5

[vishvananda]

When using a config with user namespaces with go1.5, run gets a permission issue trying to call setgroups(0, []). The reason is in go1.5 setting the uid_map causes the segroups to be set to deny.

An obvious fix is to not setgroups if there are no additional groups specified:

diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index 3e78d4b..30cd42a 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -168,8 +168,10 @@ func setupUser(config *initConfig) error {
        }

        suppGroups := append(execUser.Sgids, addGroups...)
-       if err := syscall.Setgroups(suppGroups); err != nil {
-               return err
+       if len(suppGroups) != 0 {
+               if err := syscall.Setgroups(suppGroups); err != nil {
+                       return err
+               }
        }

But this doesn't help the case where we actually want to set groups. We could also set the SysProcAttr.GidMappingsEnableSetgroups = true when we create the process, but this flag only exists in 1.5 so we need some build flags to only set it in go1.5. Also we may only want it to be true if AdditionalGids are set in the json.

[vishvananda]

There is also a setgroups(0, []) in the golang source when execing if SysProcAttr.Credentials is set, even if Credentials is empty. This may be a bug in golang. It shouldn't be calling setgroups if the flag is not set.

[crosbymichael]

@LK4D4 did u submit a go patch for this issue?

[LK4D4]

@crosbymichael Yup, and it was accepted. Will be in go1.6

[crosbymichael]

Awesome. Thanks!

I think we can close this issue and it will be resolved properly in Go 1.6.