[lxc-devel] Error "unshare: Operation not permitted" when trying to create user container
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Feb 17 16:11:08 UTC 2014
Quoting Brian Campbell (lambda at continuation.org):
> I tried the demo_userns.c example code from this LWN article https://lwn.net/Articles/532593/ and got the same result:
>
> lambda at gherkin:userns$ ./demo_userns
> clone: Operation not permitted
>
> So it looks like something is preventing me from calling clone(CLONE_NEWUSER) or unshare(CLONE_NEWUSER).
>
> I can't find any documentation on CLONE_NEWUSER outside of that LWN article, and it indicates that as of 3.8, no privilege should be needed to call clone(CLONE_NEWUSER), so I'm somewhat puzzled as to why this is failing.
Without looking at the rest of this thread, it basically has to be
either your kernel doesn't have CONFIG_USER_NS=y (which I wouldn't
expect before a 3.13 or at least 3.12 kernel), or your distro kernel
has a sysctl patch to turn off unprivileged CLONE_NEWUSER by default.
You can find out whether it's the latter by just trying CLONE_NEWUSER
as root. If that works, then look under /proc/sys/kernel for something
called *userns* or *unpriv* and set it to 1 :)
-serge
More information about the lxc-devel
mailing list