namespace

Can't use user/group IDs in unshared namespace

Can't use user/group IDs in unshared namespace When mounting a tmpfs in a mount and user namespace that is separate from my ‘regular’ system, my expectation is that it’s possible to use any user/group ID. There would be no need for mapping IDs since the tmpfs is only present in this mount namespace (I have …

Total answers: 1

Kubernetes Namespace Stuck in 'Terminating'

Kubernetes Namespace Stuck in 'Terminating' I’m encountering an issue where a Kubernetes namespace is stuck in the ‘Terminating’ state. Running kubectl get ns cattle-monitoring-system -o json|jq produces error messages related to custom.metrics.k8s.io/v1beta1 and shows a DiscoveryFailed condition in the namespace status: E1213 08:02:39.979034 953148 memcache.go:287] couldn’t get resource list for custom.metrics.k8s.io/v1beta1: the server is currently …

Total answers: 1

How to Make a Systemd Private Network Namespace Accessable

How to Make a Systemd Private Network Namespace Accessable So I have an application that only binds to 0.0.0.0 and listens on a port (TCP). The communication is unencrypted and unauthorized so I’d like to work around that without getting too deep into the weeds. I’d like it to bind on 127.0.0.1 so I can …

Total answers: 1

Root network namespace as transit between 2 other net namespaces

Root network namespace as transit between 2 other net namespaces I am trying to communicate between two network namespaces that are connected through the root namespaces using veth pairs as seen in the diagram. I am unable to perform a ping from netns A to netns B. Additionally I can ping from root namespace to …

Total answers: 1

Fix Polyinstantiation of /tmp causing 'connect /tmp/.X11-unix/X0: No such file or directory'

Fix Polyinstantiation of /tmp causing 'connect /tmp/.X11-unix/X0: No such file or directory' In a multiseat desktop system with the /tmp directory polyinstantiated, the /tmp/.X11-unix/ directory and Xn instances are still created under root’s /tmp not a user’s. ssh -Ying into or out of the box and trying to run X11 applications (via X-forwarding) generates connect …

Total answers: 1

Why is my namespace not detected?

Why is my namespace not detected? I tried form home,then sudo su – ip netns exec 5bd337503b01 ip addr show Cannot open network namespace "5bd337503b01": No such file or directory pwd shows /var/run/docker/netns Why? Asked By: Richard Rublev || Source Note: /var/run is a symlink to /run so it doesn’t really matter which is written …

Total answers: 1

How do you get the child pid of `unshare` when using –fork for `nsenter -t <pid>`?

How do you get the child pid of `unshare` when using –fork for `nsenter -t <pid>`? When using unshare –pid –fork, the nsenter command must attach to the child pid not the unshare pid to get to the right pid namespace. I can get unshare’s pid as follows: unshare –pid –mount –fork –mount-proc bash & …

Total answers: 1

How does /proc interact with PID namespaces?

How does /proc interact with PID namespaces? I do not understand how namespaces interact with /proc. I assumed that /proc returns values based on the process that queries them. For example, let’s determine the PID of the current process inside the global PID namespace: $ bwrap –bind / / readlink /proc/self 6182 This makes sense …

Total answers: 1

How to login to a user namespace created by unshare?

How to login to a user namespace created by unshare? How to login to a user namespace created by unshare -U from another terminal? Asked By: Franc M || Source there’s no such thing as "logging in to a user namespace"; a user namespace is not a virtual machine running a login interface, or something …

Total answers: 1

Dockers create user namespaces?

Dockers create user namespaces? My question is about how Docker instrument the storage for the container instance. Do container applications or Docker create user namespaces when creating a new container instance? Asked By: Franc M || Source Docker creates namespaces. An lsns command before after docker run would show that there are extra user namespaces …

Total answers: 1

How to create a user namespace in Ubuntu?

How to create a user namespace in Ubuntu? I want to create namespaces with and without the privilege and need to study the implications if the namespace creation is restricted only for the privileged users. How to create a user namespace in Ubuntu 18.04LTS. Which command I should use? Asked By: Franc M || Source …

Total answers: 1

Podman errors on tar with potentially insufficient UIDs or GIDs available in user namespace

Podman errors on tar with potentially insufficient UIDs or GIDs available in user namespace When I run podman run I’m getting a particularly weird error, ❯ podman run -ti –restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher:latest ✔ docker.io/rancher/rancher:latest Trying to pull docker.io/rancher/rancher:latest… Getting image source signatures [… blob copying…] Writing manifest to image destination Storing signatures …

Total answers: 2

Is it possible to access a Unix socket over the network?

Is it possible to access a Unix socket over the network? The documentation of the Linux sandboxing application firejail says whenever we are dealing with X11 we also need to install a new network namespace. This is the only way to block access to the abstract Unix socket opened by the main X11 server already …

Total answers: 2

When does Linux "garbage-collect" namespaces?

When does Linux "garbage-collect" namespaces? My current understanding of Linux (kernel) namespaces is that their lifetime after creation is as long as at least one of the following conditions holds true: at least one process/thread is joined (attached, …) to namespace X. at least one bind-mount exists to namespace X. at least one open fd …

Total answers: 1

About mounting and umounting inherited mounts inside a newly-created mount namespace

About mounting and umounting inherited mounts inside a newly-created mount namespace Experiment 1 From outside the namespace, cat /proc/self/mountinfo gives 291 34 0:37 / /tmp/IMJUSTTMP rw,relatime shared:152 – tmpfs tmpfs rw,size=102400k 34 23 0:32 / /tmp rw,nosuid,nodev shared:16 – tmpfs tmpfs rw Then I run unshare -mU –map-root-user –propagation private /usr/bin/zsh to get a new …

Total answers: 1

Understanding how mount namespaces work in Linux

Understanding how mount namespaces work in Linux I am reading about mount namespaces and see: in a mount namespace you can mount and unmount filesystems without it affecting the host filesystem. So you can have a totally different set of devices mounted (usually less). I am trying to understand linux namespaces, and LXC and such, …

Total answers: 1

Losing permissions by adding capability?

Losing permissions by adding capability? I observed the following phenomenon that I can not explain. After adding the CAP_SYS_ADMIN capability, unshare is no longer able to write to /proc/self/setgroups. In fact, writing to this file requires the capability, but that is achieved by changing the user namespace. So why does adding the capability to the …

Total answers: 1

Why can't I bind-mount "/" inside a user namespace?

Why can't I bind-mount "/" inside a user namespace? Why doesn’t this work? $ unshare -rm mount –bind / /mnt mount: /mnt: wrong fs type, bad option, bad superblock on /, missing codepage or helper program, or other error. These work ok: $ unshare -rm mount –bind /tmp /mnt $ unshare -rm mount –bind /root …

Total answers: 1