Stack Overflow
Stack Overflow

Questions tagged [linux-namespaces]

For questions regarding Linux kernel's namespaces mechanism.

143 questions
0
votes
1 answer

Why can't I run some programs after using unshare(CLONE_NEWUSER)

I'm working on adding some restrictions to my build process - to detect cycles, specifically. To achieve this I've been experimenting with user namespaces. Here's my 'hello world' program: #include #include int main() { if(…
Dan O
  • 4,323
  • 5
  • 29
  • 44
0
votes
0 answers

Using networkd with linux namespaces

I am currently trying to simulate a network using network namespaces under Linux. I have already set up the nodes and connected them, and they can ping each other, one hop at a time. But I am really struggling trying to enable IP forwarding. I am…
ObiBabobi
  • 63
  • 4
0
votes
0 answers

Creating linux user on host from container

Is there a way to share the user namespace with a docker container, so that linux users I create in the container will exist on the host?
Ofek Agmon
  • 5,040
  • 14
  • 57
  • 101
0
votes
0 answers

Security for setns system call

Are there any relevant LSM hooks in the Linux kernel, not proposed patches, that can be used to secure the use of the setns system call? If there isn't, then what can be used to restrict the namespaces that a process can switch into?
Melab
  • 2,594
  • 7
  • 30
  • 51
0
votes
1 answer

Files owned by Docker userns-remap user end up owned by nobody inside the container

I am messing around with Docker user namespace remapping: https://docs.docker.com/engine/security/userns-remap/ I have enabled Docker user namespace remapping by modifying /etc/docker/daemon.json. Content currently looks like this: { …
xtrom0rt
  • 183
  • 1
  • 11
0
votes
1 answer

Mount system call not working with MS_PRIVATE flag

We are trying to learn how to build a container-like application on Linux (I'm using Ubuntu 20.04). We've fetched an Ubuntu file system with the following command: sudo debootstrap --variant=minbase bionic /home/some/path/ubuntu_fs…
Akash Vaish
  • 1
  • 2
0
votes
1 answer

How to properly run a container with containerd's ctr using --uidmap/gidmap and --net-host option

I'm running a container with ctr and next to using user namespaces to map the user within the container (root) to another user on the host, I want to make the host networking available for the container. For this, I'm using the --net-host option.…
Wolfson
  • 1,187
  • 17
  • 22
0
votes
2 answers

How does AppArmor handle Linux-kernel mount namespaces?

I've searched through wiki of AppArmor's wiki as well as tried Internet searches for "apparmor mount namespace" (or similar). However, I always draw a blank as how AppArmor deals with them, which is especially odd considering that OCI containers…
TheDiveO
  • 2,183
  • 2
  • 19
  • 38
0
votes
1 answer

joined process cannot write ns_last_pid of the container

A process from a host joined a container's namepsace and is trying to write ns_last_pid file present in /proc/sys/kernel/ns_last_pid. but it is giving an error of Read only file system. whereas i'm able to do this on the host's ns_last_pid file via…
user13145713
  • 109
  • 8
0
votes
1 answer

AppArmor: How to block pid=host container with CAP_SYS_ADMIN/CAP_SYS_CHROOT from reading (some) host files?

Given is a container that has pid=host (so it is in the initial PID namespace and has a full view on all processes). This container (rather, its process) additionally has the capabilities CAP_SYS_ADMIN and CAP_SYS_CHROOT, so it can change mount…
TheDiveO
  • 2,183
  • 2
  • 19
  • 38
0
votes
0 answers

How to traverse through the pid namespace of a container?

I've to traverse through the process tree of the container launched in runc container environment. My goal is to walk the process tree when the container is paused and call clone method to specific pid of that process tree so that it creates a new…
user13145713
  • 109
  • 8
0
votes
0 answers

How to use docker build when userns are enabled?

My dockerfile is very simple: FROM scratch ADD archlinux-bootstrap-2020.06.01-x86_64.tar.gz / however, it still fails: Sending build context to Docker daemon 166.3MB Step 1/2 : FROM scratch ---> Step 2/2 : ADD…
graywolf
  • 7,092
  • 7
  • 53
  • 77
0
votes
0 answers

Unable to run an isolated process inside of a namespace in remote container

My ambition was to run a Linux namespace (in Go) inside of a remote container which I can run isolated process without affecting to the host. cmd := exec.Command("/bin/bash") cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr =…
Govinda Malavipathirana
  • 1,095
  • 2
  • 11
  • 29
0
votes
1 answer

Linux kernel - How CPU subsystem(of CGROUPS) different from CPU scheduler?

Linux kernel code here provides, CPU scheduler that has multiple scheduling algorithms for scheduling the processes(including docker container processes). A control group is a kernel construct, which allows for limiting access to, and accounting…
overexchange
  • 15,768
  • 30
  • 152
  • 347
0
votes
1 answer

How to Run Programs Built for a Different Base Library Version?

A busybox system comes with a rpm command on glibc-2.24. How can programs from Fedora Core (FC) and/or later versions get run on this system? I've figured out FC25 comes with the same glibc version. If I download FC25 rpm packages and install them,…
minghua
  • 5,981
  • 6
  • 45
  • 71
1 2 3
9 10