Arch Linux

karlyan

Member

Registered: 2015-01-26

Posts: 3

enabling user namespace in kernel

Hi everyone,

I hope this is the right place for this post.
I want to experiment with unpriviledged lxc-containers. Therefore I need User Namespace enabled in the kernel, which is not:

[root@alexarch karlyan]# lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing                           <-----------------------
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

I tried recompiling the kernel with user namespace enabled in the config file but I still got hte same result.
I also found this which confused me even more...was this change revoked?

I'm running the standart linux kernel

[root@alexarch karlyan]# pacman -Q linux
linux 3.18.2-2

Any help is appreciated

Cheers,
Karlyan

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 30,454

Website

Re: enabling user namespace in kernel

Your link goes nowhere.  When you compiled the new kernel, did you check that you were booted into your new kernel, and did you confirm that it used the config you wanted.  The simple way to test this is to run the following:

zgrep CONFIG_USER_NS /proc/config.gz

(edited as suggested below; thanks graysky)

Last edited by Trilby (2015-01-26 20:48:40)

---

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

graysky

Wiki Maintainer

From: :wq

Registered: 2008-12-01

Posts: 10,726

Website

Re: enabling user namespace in kernel

Y

zcat /proc/config.gz | grep CONFIG_USER_NS

Related but adds nothing to the conversation: No need to zcat:

% zgrep CONFIG_USER_NS /proc/config.gz
# CONFIG_USER_NS is not set

---

AUR packages • Zsh and other configs

karlyan

Member

Registered: 2015-01-26

Posts: 3

Re: enabling user namespace in kernel

update,

I booted the right kernel, but still I get:

[root@alexarch karlyan]$ zgrep CONFIG_USER_NS /proc/config.gz
# CONFIG_USER_NS is not set

Will try to recompile the kerlen using another way to edit the config (I used nconfig before as part of makepkg from arch build system).

graysky

Wiki Maintainer

From: :wq

Registered: 2008-12-01

Posts: 10,726

Website

Re: enabling user namespace in kernel

That is all you need to do; I use nconfig all the time.

---

AUR packages • Zsh and other configs

Leonid.I

Member

From: Aethyr

Registered: 2009-03-22

Posts: 999

Re: enabling user namespace in kernel

I want to experiment with unpriviledged lxc-containers. Therefore I need User Namespace enabled in the kernel, which is not:

[root@alexarch karlyan]# lxc-checkconfig 
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing                           <-----------------------
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

I wouldn't recommend enabling user namespaces on the main (host) kernel yet.

If it's just for experimentation, then simply boot latest Ubuntu in a VM and deploy LXC there. If you need want to have CONFIG_USER_NS, but not unprivileged containers, try Fedora 20+ (kernel 3.17.8+)... The latter is somewhat safer because only this month there were CVEs related to the USERNS code.

---

Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

karlyan

Member

Registered: 2015-01-26

Posts: 3

Re: enabling user namespace in kernel

update,

I recompiled the kernel after manually editing the config file and lxc-checkconfig returns all green
@Leonid.I thanks for the info, I'll consider doing one of the options.

solar

Member

Registered: 2011-03-01

Posts: 77

Re: enabling user namespace in kernel

@Leonid. I just would like to say, sure, namespaces can give a false sense of security, by all means but say one is running privileged containers... is an attacker gaions entry,there is no less escalation issue there, than with an unprivileged

So, running either, is just as fine as such. Should you get owned on a privileged, you are just as done for ,)

That is if one is counting on server <isolation>.. if one wishes to use a form of hosting services and relying on user namespaces to allow others onto systems, then yes.. this would lead to a false sense of isolation indeed.

My point is, if one is using it for a single user server system, as many do at home say, it doesn't really _hurt_ to run guests unpriv. with user namespace support.

---

I am hilariously insane. yup. you won't notice though.. I promise...I think.