3

My call to unshare(CLONE_NEWUSER) when called as a non-root user returns EPERM because of this (http://man7.org/linux/man-pages/man2/unshare.2.html):

EPERM (since Linux 3.9) CLONE_NEWUSER was specified in flags and the caller is in a chroot environment (i.e., the caller's root directory does not match the root directory of the mount namespace in which it resides).

I've used pivot_root(2) (at that time, running as root) rather than chroot(2) to get into this directory. I'verified that skipping the pivot_root(2) call makes unshare(CLONE_NEWUSER) succeed as a non-root user. But I want both: pivot_root(2) and unshare(CLONE_NEWUSER). I've tried adding unshare(CLONE_NEWNS) just after the pivot_root(2), but that didn't work, I'm still getting EPERM from unshare(CLONE_NEWNS). How can I make it succeed?

FYI I need this because I want to create a rootless container manually inside a chroot-like environment.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
pts
  • 1,041
  • 13
  • 22
  • NEWUSER before pivot_root(), maybe? – sourcejedi Jan 05 '19 at 18:02
  • @sourcejedi: These are two different processes. The first process calls *pivot_root(2)* as root, then some other work is done, then another process running as non-root wants to call *unshare(CLONE_NEWUSER)*, and that one fails. How do I make that one succeed? Could you please clarfiy? – pts Jan 05 '19 at 20:29
  • 1
    Please note you should call `chroot("/");` (or `chroot(".");` if you're chdir'd to that directory) right after `pivot_root`. Are you doing that? Can you share a small reproducer that illustrates the issue you're running into? – filbranden Jan 05 '19 at 21:39
  • @pts I guess I didn't read the last sentence of your question, sorry. I believe we can work this out if we have a small reproducer to look at, as suggested. – sourcejedi Jan 05 '19 at 21:53

0 Answers0