Comments (3)
cyphar
commented on June 5, 2024
That particular example is a configuration error -- if you join an existing namespace (such as IPC) and then make a new user namespace you won't have any capabilities over the IPC namespace and so stuff like that will fail and will require changing the configuration.
from runc.
lifubang
commented on June 5, 2024
But if I join container test's user ns path instead of create an new user ns, it will work.
"namespaces": [
{
"type": "ipc",
"path": "/proc/14821/ns/ipc"
},
{
"type": "user",
"path": "/proc/14821/ns/user"
}
],The container test's user mapping has the same value as this one:
"uidMappings": [{
"containerID": 0,
"hostID": 1000,
"size": 2000
}],
"gidMappings": [{
"containerID": 0,
"hostID": 1000,
"size": 2000
}],from runc.
cyphar
commented on June 5, 2024
@lifubang That's just how user namespaces work. Every other namespace instance is owned by a user namespace, and capability permissions are based on the owning user namespace (not the kuid -- there are checks related to the kuid but basic capability checks are not). You can re-create this behaviour using unshare and nsenter:
% unshare -Uri sleep infinity
% nsenter -t $pid -i -- unshare -Urm -- mount -t mqueue mqueue /tmp # fails
% unshare -Urm -- nsenter -t $pid -i # fails due to permission issues
from runc.
Related Issues (20)
- flaky test: TestProcessEmptyCaps
- FileLog Pipeline Not Closed, Causing runc exec to Hang HOT 2
- runc can not wait process in the container exits when share pid namespace HOT 4
- Reasons that can't use runc-dmz
- flaky test: kill KILL [host pidns] HOT 8
- flaky test: check_cpu_* HOT 1
- [ci] We should check `memory.swap.max` exists or not for cgroupv2 HOT 1
- Building runc 1.1.11 causes
- runc-dmz masks the error from unix.SYS_EXECVEAT HOT 12
- writing sync procError: write sync: file already closed
- `--manage-cgroups-mode` can not be `ignore` when checkpoint and restore containers HOT 5
- BPF programs installed by libcontainer are not distinguished
- Kubelet fails to invoke runc to delete residual cgroup resources in pods. HOT 4
- racy RLIMIT_NOFILE setting with Go 1.19+ HOT 13
- vagrant up is not working in Cirrus CI HOT 4
- Seems like a typo, the .PHONY label has no purpose this way HOT 3
- runc update will clear cpu burst value HOT 3
- runc update: cpu period and cpu burst being reset to defaults after an unrelated update HOT 8
- runc init hang up HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from runc.