5

I am trying to setup unprivileged LXC containers as explained in Debian Wiki on a Jessie Debian physical server (4.9.135 kernel). Hence, I want to enable the userns namespace:

sysctl kernel.unprivileged_userns_clone=1
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

However, this kernel has been compiled with the user namespace support, as shown in:

zgrep CONFIG_USER /proc/config.gz 
CONFIG_USER_NS=y

I have run lxc-checkconfig which shows enabled for every items except checkpoint restore: missing which does not seem to be user namespace related:

--- Namespaces ---
User namespace: enabled
--- Checkpoint/Restore ---
checkpoint restore: missing

Googling around does not help much understanding this error... Can anyone help me solving this issue? Do not hesitate to ask for any information which may be missing...

philippe
  • 2,303
  • 4
  • 32
  • 53

1 Answers1

8

The sysctl mentioned in the Debian wiki does not exist in the Linux kernel.

It is provided in a Debian-maintained patch in Debian kernels for the express purpose of disabling user namespaces until they are explicitly enabled by setting the sysctl.

This Debian-specific patch has been refused by the Linux kernel developers.

Because you are not using a Debian provided kernel, user namespaces are always enabled and you do not need to set a sysctl to turn them on. You can simply skip this step.

For checkpoint/restore, install criu and run criu check. It will tell you what, if anything, is still missing.

pevik
  • 288
  • 1
  • 12
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972