-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No such file or directory - unprivileged_userns_clone #780
Comments
Also noticed the following vulnerability can be mitigated by disabling unprivileged user namespaces.
Am assuming the Sysbox error encountered above relates to attempting to disable unprivileged user namespaces with |
Found the following reference in the Sysbox user guide. Along with the following fix.
This appears to allow the vulnerability identified above (as opposed to preventing it). Attempting to execute the fix produces the following error.
Performing the following command shows that the
|
Thanks for reporting the issue. ContextNormally, Sysbox does not require the Having said that, inside a Sysbox container, all processes are unprivileged at host level since they run inside a user-namespace. If a process inside the Sysbox container wished to create a user-namespace (e.g., running Docker with userns-remap enabled for example), then that would fail unless This is why the Sysbox K8s installer tries to set Though we could relax this so that Sysbox does not require it, in general having The issue you reported
This is interesting; normally Ubuntu/Debian distros have the For the failing cases, what do you see under |
Hi @ctalledo, Thanks, here are the contents of The 6.6.17 failing case removes the following from
The
And it removes.
The |
Thanks @matthewparkinsondes for the detailed response. Let me double check on my side and if confirmed, looks like we will need to change the Sysbox check for Also, in the newer kernels, do you see Thanks! |
thanks @ctalledo.
yes ... this is present in all of the newer kernels ... 6.6.21, 6.7.9 and 6.8-rc7 |
Ah, that likely means that starting with those newer kernels, Ubuntu distros are behaving as Fedora-based distros do, which use |
Hello! I am running into the same issue with kernel version 6.8. Is there a workaround? |
Fixes nestybox#780 No such file or directory - unprivileged_userns_clone Signed-off-by: Zuhair AlSader <zuhair@devzero.io>
Fixes nestybox#780 No such file or directory - unprivileged_userns_clone Signed-off-by: Zuhair AlSader <zuhair@devzero.io>
Fixes nestybox#780 No such file or directory - unprivileged_userns_clone Signed-off-by: Zuhair AlSader <zuhair@devzero.io>
Fixes #780 No such file or directory - unprivileged_userns_clone Signed-off-by: Zuhair AlSader <zuhair@devzero.io>
Am seeing the following error when attempting to install Sysbox on an RKE2 worker node.
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
Using the latest version of all system components, including the latest "longterm" version of the Linux kernel as per https://kernel.org.
os=Ubuntu 22.04.4 LTS, kernel=6.6.17-060617-generic, sysbox=0.6.3 CE, rke2=v1.28.6+rke2r1, rancher=v2.8.2
Here is a summary of results when using various kernel versions.
Here are the Sysbox logs.
The text was updated successfully, but these errors were encountered: