Skip to content

Fix detach-netns permission error on Ubuntu 25.04 #495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix detach-netns permission error on Ubuntu 25.04 #495

wants to merge 2 commits into from

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Mar 9, 2025
edited
Loading

On Ubuntu 25.04, unshare is subject to /etc/apparmor.d/unshare-userns-restrict that disables mounting.

$ rootlesskit --detach-netns bash
[rootlesskit:child ] error: failed to create a detached netns on "/tmp/rootlesskit2294453251/netns":
failed to execute [unshare -n mount --bind /proc/self/ns/net /tmp/rootlesskit2294453251/netns]:
exit status 32 (out="mount: /tmp/rootlesskit2294453251/netns: permission denied.\n       dmesg(1) may have more information after failed mount system call.\n")

Fix #494

@AkihiroSuda AkihiroSuda added this to the v2.3.3 (tentative) milestone Mar 9, 2025
@AkihiroSuda AkihiroSuda marked this pull request as draft March 9, 2025 20:25
@AkihiroSuda
Add --userns=false
b3feacc 
This flag will be internally used to replace `exec("unshare -n")` in the follow-up commit.

This flag should never be used manually.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Fix detach-netns permission error on Ubuntu 25.04
765444c 
On Ubuntu 25.04, `unshare` is subject to `/etc/apparmor.d/unshare-userns-restrict`
that disables mounting.

```
$ rootlesskit --detach-netns bash
[rootlesskit:child ] error: failed to create a detached netns on "/tmp/rootlesskit2294453251/netns":
failed to execute [unshare -n mount --bind /proc/self/ns/net /tmp/rootlesskit2294453251/netns]:
exit status 32 (out="mount: /tmp/rootlesskit2294453251/netns: permission denied.\n       dmesg(1) may have more information after failed mount system call.\n")
```

Fix issue 494

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
AkihiroSuda
AkihiroSuda commented Mar 9, 2025
View reviewed changes
pkg/child/child.go
if err != nil {
return err
}
cmd := exec.Command(selfExe, "--userns=false", "--net=none", "--", "mount", "--bind", "/proc/self/ns/net", p)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to hang, possibly the nested rootlesskit is confused for file descriptors, env vars, etc.

@AkihiroSuda AkihiroSuda removed this from the v2.4.0 (tentative) milestone Mar 9, 2025
@AkihiroSuda AkihiroSuda mentioned this pull request Mar 9, 2025
Merged
@AkihiroSuda
Copy link
Member Author

Alternative:

@AkihiroSuda AkihiroSuda closed this Mar 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@AkihiroSuda