0

My ambition was to run a Linux namespace (in Go) inside of a remote container which I can run isolated process without affecting to the host.

    cmd := exec.Command("/bin/bash")

    cmd.Stdin = os.Stdin
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr

    cmd.SysProcAttr = &syscall.SysProcAttr{
        Cloneflags: syscall.CLONE_NEWUTS,
    }

    err := cmd.Run()
    if err != nil {
        fmt.Printf(err.Error())
        os.Exit(1)
    }

Let's imagine I wanted to run bash inside this isolated space. So I run a new UTS namespace for it. So when I ran the code I got this error.

fork/exec /bin/bash: operation not permitted

I did some investigation on this error and realized error cause due to unprivilaged namepsace issue. So when I comment out these lines 

cmd.SysProcAttr = &syscall.SysProcAttr{
    Cloneflags: syscall.CLONE_NEWUTS,
}

code works. But it does not serve the purpose. Also I tried --privilaged but didn't work. Is there any other way to overcome this?

Jonathan Hall
  • 75,165
  • 16
  • 143
  • 189
Govinda Malavipathirana
  • 1,095
  • 2
  • 11
  • 29
  • Can you be more specific? Which type of container are you using? Do you have documentation about these "go namespaces"? This isn't something common to Go, so it's important to be as specific as possible. – Jonathan Hall Apr 10 '20 at 07:17
  • Go Namespaces - https://medium.com/@teddyking/namespaces-in-go-basics-e3f0fc1ff69a Remote container - https://code.visualstudio.com/docs/remote/containers – Govinda Malavipathirana Apr 10 '20 at 07:19
  • 1
    This has nothing to do with Go. These are Linux namespaces. You are mixing things up. Make sure the user running your Go code has the right privileges to do that kind of Linux stuff. – Volker Apr 10 '20 at 07:33
  • Okay, so that's not talking about "go namespaces". It's talking about Linux namespaces, in the context of Go. – Jonathan Hall Apr 10 '20 at 07:39
  • If you're trying to make this call from inside a Docker container, it already runs in a separate process namespace. – David Maze Apr 10 '20 at 10:32
  • Without further deployment information it's difficult to diagnose and fix your problem. First, how do you deploy the container? Full docker CLI please. What OS distro do you, or rather: do you have AppArmor or SELinux and does your container engine use it? How do you build your image? Do you deploy the go process in your container as UID0/root? – TheDiveO Jul 25 '21 at 16:28

0 Answers0