Comments (10)
Hi, what's your kernel version? uname -a
Also, can you run everything under strace, and upload the results?
strace -f -o /tmp/output.txt bazel-bin/sandboxed_api/sandbox2/examples/tool/sandbox2tool --sandbox2tool_resolve_and_add_libraries --sandbox2tool_additional_bind_mounts /etc /bin/cat /etc/hostname
from sandboxed-api.
Hi,
Thanks for the reply!
I am using the Linux system developed within the enterprise (similar to CentOS), and the kernel may be 5.4. I find the problem may be caused by the permission or something in Cloud Virtual Machine ( I try both inside docker with --privileged and outside docker in CVM, not work). Currently, I bypass it by running it on the local machine (Ubuntu).
Here is the output:
https://drive.google.com/file/d/1nTvRS7-DJw8qV0H_jDrx3joBOVu0PEYB/view?usp=share_link
from sandboxed-api.
1964804 clone(child_stack=0x7ffeabeba7b0, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = -1 EINVAL (Invalid argument)
That line looks like unprivileged user namespace are not permitted. If you're on a CentOS derivative, that might be the default config. Note that Docker by default uses a daemon that runs as root, so it will not have this issue.
Can you check if
echo 10000 > /proc/sys/user/max_user_namespaces
does anything for you?
On a Debian kernel, this would be
sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone
from sandboxed-api.
After I enter
echo 10000 > /proc/sys/user/max_user_namespaces
It still gets the same error
INFO: Running command line: bazel-bin/sandboxed_api/sandbox2/examples/tool/sandbox2tool --sandbox2tool_resolve_and_add_libraries --sandbox2tool_additional_bind_mounts /etc /bin/cat /etc/hostname
[global_forkclient.cc : 153] RAW: Starting global forkserver
[util.cc : 199] RAW: clone(): Invalid argument [22]
[forkserver.cc : 580] RAW: Check pid != -1 failed: failed to fork initial namespaces process: Invalid argument [22]
E0324 15:10:23.602776 2614517 fork_client.cc:55] Receiving init PID from the ForkServer failed
E0324 15:10:23.602837 2614517 global_forkclient.cc:303] Global forkserver connection terminated
[global_forkclient.cc : 227] RAW: forkserver (pid=2621296) terminated by signal 6
E0324 15:10:23.602924 2614517 sandbox2tool.cc:233] Sandbox failed
E0324 15:10:23.602943 2614517 sandbox2tool.cc:239] Sandbox error: SETUP_ERROR - Code: FAILED_SUBPROCESS
from sandboxed-api.
Ok, this might still mean that the unprivileged namespace feature is not active.
What's the output of uname -a
? Are you running a custom kernel or the one that ships with your distribution?
Also, to rule out other issues, can you try to run sandbox2tool as root?
from sandboxed-api.
Yes, I use the custom kernel like:
Linux VM-252-28-centos 5.4.32-1-sometag
I tried sudo + command and met the same error.
from sandboxed-api.
Do you have a kernel config for me? Is CONFIG_USER_NS
actually enabled?
from sandboxed-api.
Sorry I could not provide the config file. But yes it seems that the CONFIG_USER_NS is not enabled.
./kernel/Makefile:75:obj-$(CONFIG_USER_NS) += user_namespace.o
./include/config/auto.conf:173:# CONFIG_USER_NS is not set
./include/linux/cred.h:391:#ifdef CONFIG_USER_NS
./include/linux/user_namespace.h:106:#ifdef CONFIG_USER_NS
./include/linux/uidgid.h:121:#ifdef CONFIG_USER_NS
./include/linux/uidgid.h:189:#endif /* CONFIG_USER_NS */
./include/linux/seq_file.h:165:#ifdef CONFIG_USER_NS
./include/linux/projid.h:51:#ifdef CONFIG_USER_NS
./include/linux/projid.h:88:#endif /* CONFIG_USER_NS */
β config grep CONFIG_USER_NS /boot/config-$(uname -r)
# CONFIG_USER_NS is not set
from sandboxed-api.
That is very likely the root of this issue. Can you try with/rebuilt a kernel that has this setting enabled?
from sandboxed-api.
I think we got to the bottom of this. Closing. Feel free to reopen if you have more questions.
from sandboxed-api.
Related Issues (20)
- Abseil not build with `-fPIC` HOT 2
- dav1d crashes generator HOT 4
- Build error due to CMake problem HOT 3
- fd_set causes code generator to generate bogus code HOT 2
- Cannot use libtooling-based generator with CMake HOT 1
- Generator cannot handle arguments named `ret` HOT 1
- Undefined symbol errors in c-blosc
- Fedora: cannot build jsonnet
- New generator fails to convert `_Bool` to `bool` HOT 2
- Multiple declaration errors when using both the original header and the SAPI-generated version
- Fix for #154 doesnβt work for return values HOT 2
- google api++ HOT 1
- Build errors with libtooling-based generator
- sandbox2tool CLI is broken HOT 1
- Sandbox2 does not work in Docker Container if it runs without --privileged flag HOT 2
- Sandbox2: support Flatpak and Android
- `gethostbyname()` fails
- Linking issue with libunwind and zlib on aarch64
- Updating the contributing.md file HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sandboxed-api.