forkserver fail to fork initial namespaces process about sandboxed-api HOT 10 CLOSED

Hi, what's your kernel version? uname -a

Also, can you run everything under strace, and upload the results?

strace -f -o /tmp/output.txt bazel-bin/sandboxed_api/sandbox2/examples/tool/sandbox2tool --sandbox2tool_resolve_and_add_libraries --sandbox2tool_additional_bind_mounts /etc /bin/cat /etc/hostname

from sandboxed-api.

Hi,
Thanks for the reply!
I am using the Linux system developed within the enterprise (similar to CentOS), and the kernel may be 5.4. I find the problem may be caused by the permission or something in Cloud Virtual Machine ( I try both inside docker with --privileged and outside docker in CVM, not work). Currently, I bypass it by running it on the local machine (Ubuntu).

Here is the output:
https://drive.google.com/file/d/1nTvRS7-DJw8qV0H_jDrx3joBOVu0PEYB/view?usp=share_link

from sandboxed-api.

1964804 clone(child_stack=0x7ffeabeba7b0, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = -1 EINVAL (Invalid argument)

That line looks like unprivileged user namespace are not permitted. If you're on a CentOS derivative, that might be the default config. Note that Docker by default uses a daemon that runs as root, so it will not have this issue.

Can you check if

echo 10000 > /proc/sys/user/max_user_namespaces

does anything for you?

On a Debian kernel, this would be

sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone

from sandboxed-api.

After I enter
echo 10000 > /proc/sys/user/max_user_namespaces

It still gets the same error

INFO: Running command line: bazel-bin/sandboxed_api/sandbox2/examples/tool/sandbox2tool --sandbox2tool_resolve_and_add_libraries --sandbox2tool_additional_bind_mounts /etc /bin/cat /etc/hostname
[global_forkclient.cc : 153] RAW: Starting global forkserver
[util.cc : 199] RAW: clone(): Invalid argument [22]
[forkserver.cc : 580] RAW: Check pid != -1 failed: failed to fork initial namespaces process: Invalid argument [22]
E0324 15:10:23.602776 2614517 fork_client.cc:55] Receiving init PID from the ForkServer failed
E0324 15:10:23.602837 2614517 global_forkclient.cc:303] Global forkserver connection terminated
[global_forkclient.cc : 227] RAW: forkserver (pid=2621296) terminated by signal 6
E0324 15:10:23.602924 2614517 sandbox2tool.cc:233] Sandbox failed
E0324 15:10:23.602943 2614517 sandbox2tool.cc:239] Sandbox error: SETUP_ERROR - Code: FAILED_SUBPROCESS

from sandboxed-api.

Ok, this might still mean that the unprivileged namespace feature is not active.
What's the output of uname -a? Are you running a custom kernel or the one that ships with your distribution?

Also, to rule out other issues, can you try to run sandbox2tool as root?

from sandboxed-api.

Yes, I use the custom kernel like:
Linux VM-252-28-centos 5.4.32-1-sometag
I tried sudo + command and met the same error.

from sandboxed-api.

Do you have a kernel config for me? Is CONFIG_USER_NS actually enabled?

from sandboxed-api.

Sorry I could not provide the config file. But yes it seems that the CONFIG_USER_NS is not enabled.

./kernel/Makefile:75:obj-$(CONFIG_USER_NS) += user_namespace.o
./include/config/auto.conf:173:# CONFIG_USER_NS is not set
./include/linux/cred.h:391:#ifdef CONFIG_USER_NS
./include/linux/user_namespace.h:106:#ifdef CONFIG_USER_NS
./include/linux/uidgid.h:121:#ifdef CONFIG_USER_NS
./include/linux/uidgid.h:189:#endif /* CONFIG_USER_NS */
./include/linux/seq_file.h:165:#ifdef CONFIG_USER_NS
./include/linux/projid.h:51:#ifdef CONFIG_USER_NS
./include/linux/projid.h:88:#endif /* CONFIG_USER_NS */


➜  config grep CONFIG_USER_NS /boot/config-$(uname -r)
# CONFIG_USER_NS is not set

from sandboxed-api.

That is very likely the root of this issue. Can you try with/rebuilt a kernel that has this setting enabled?

from sandboxed-api.

I think we got to the bottom of this. Closing. Feel free to reopen if you have more questions.

from sandboxed-api.