Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unshare failed: Invalid argument #2981

Closed
Rosalie241 opened this issue Feb 25, 2018 · 12 comments
Closed

unshare failed: Invalid argument #2981

Rosalie241 opened this issue Feb 25, 2018 · 12 comments
Labels
feature fixed-in-wsl2

Comments

@Rosalie241
Copy link

  • Microsoft Windows [Version 10.0.17107.1000]

I'm trying to get unshare -U to work but whenever I try to execute that command I get:

tim@localhost:/$ unshare -U
unshare: unshare failed: Invalid argument
tim@localhost:/$

it seems like WSL doesn't have User Namespaces implemented(CONFIG_USER_NS)

unshare.strace
@benhillis
Copy link
Member

You are correct, we have not yet implemented user namespaces.

@therealkenc
Copy link
Collaborator

Ref CLONE_NEWUSER in #2242, which was closed (entirely reasonably) because Chrome's suid sandbox now works, but still needs --disable-namespace-sandbox.

@tim241 - if you've got another use case ("I'm trying to....") it is worth citing.

@Rosalie241
Copy link
Author

Rosalie241 commented Feb 26, 2018
edited
Loading

@therealkenc well, I replaced the chroot with Void linux(because I want to write xbps package templates and the xbps-src script needs xbps-uunshare(which requires the unshare -U support if I'm correct) which is required for the way they build a package, so I /need/ the User Namespaces support. Here's an example of where it crashes:

> ~/void-packages ./xbps-src pkg linux
=> Using `/home/tim/void-packages/hostdir/binpkgs/wine-fixes' as local repository.
[*] Updating `https://repo.voidlinux.eu/current/x86_64-repodata' ...
[*] Updating `https://repo.voidlinux.eu/current/nonfree/x86_64-repodata' ...
[*] Updating `https://repo.voidlinux.eu/current/multilib/x86_64-repodata' ...
[*] Updating `https://repo.voidlinux.eu/current/multilib/nonfree/x86_64-repodata' ...
ERROR unshare (Invalid argument)
> ~/void-packages

here is where it crashes(I suspect)

EDIT: fixed broken links

@boypt
Copy link

boypt commented Jan 30, 2019

os.exec in Go also calls unshare(CLONE_NEWUSER) , which also cause Invalid argument to all Go program calling subprocess.

hope user namespaces sooner got implimented .

@gusbemacbe
Copy link

@therealkenc, are you still working on it?

@therealkenc
Copy link
Collaborator

Wasn't the person "working on it". I take boypt at face value above, which would imply it was not implemented in WSL1. There is also #3282 which I suspect (but can't prove) is a side effect of chrome no longer supporting SUID sandbox (nor --no-sandbox last time I played with it, which was some time ago).

CLONE_ALLTHETHINGS is fully functional in WSL2.

@gusbemacbe
Copy link

@therealkenc, strange, I used WSL2. My issue is similar to @tim241's.

@therealkenc
Copy link
Collaborator

therealkenc commented Oct 30, 2019
edited
Loading

Tim241 didn't have a repro so that post was glossed in January; this was before WSL2, and thus not too surprising a fail at the time. But as it happens I'm working on something in a space (almost) related Void Linux at the moment, so you've made me look on the lark. I was able to reproduce Tim's scenario on WSL2. There is an easier repro than the ./xbps-src dance. Inside a Void chroot, just:

image

With the entirely predictable strace:

unshare(CLONE_NEWUSER)                  = -1 EPERM (Operation not permitted)
write(2, "unshare: ", 9unshare: )                = 9
write(2, "unshare failed", 14unshare failed)          = 14
write(2, ": Operation not permitted\n", 26: Operation not permitted

Which is nutty (at least in my somewhat sleep deprived state) because outside the chroot (back in plain 'ole Ubuntu):

image

Which I already knew worked because I had done it before. At a loss right this moment to guess the variable. On first glance it is hard to finger-point WSL, because user namespaces is enabled in the kernel and, well, your know, works. But it is also near-impossible to finger-point Void userspace, because I can't think of anything that Void userspace could do to make the unshare(2) fail. It isn't performing the chroot(2) proper (that makes no sense).

Reason will probably be obvious once it comes to me; if someone else doesn't beat me to it. Appreciate the submission.

@Rosalie241
Copy link
Author

Rosalie241 commented Oct 30, 2019
edited
Loading

@therealkenc
I tested your repro on a native ubuntu 19.10 install (with an amd64 debian chroot)

image

it seems like intended behavior :)
some more research led to this:
https://unix.stackexchange.com/questions/442996/what-rule-prevents-entering-a-user-namespace-from-inside-a-chroot

@gusbemacbe
Copy link

There is an article of void-packages repo, which suggests to modify chroot's permissions.

@therealkenc
Copy link
Collaborator

therealkenc commented Oct 30, 2019
edited
Loading

it seems like intended behavior :)

I was afraid of that. Thanks.

[edit] Someone gets a gold star if they can concisely describe why unshare(2) returns EPERM in the scenario. There's going to be an "oh, right, that" good reason, but it isn't obvious to me atm.

@therealkenc therealkenc mentioned this issue Nov 2, 2019
Closed
@trajano
Copy link

trajano commented May 19, 2020

This would be useful to automate #5090 (comment) as per https://stackoverflow.com/questions/20553039/forcing-usermod-with-running-program/56338192#comment109450754_56338192

@srid srid mentioned this issue Sep 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature fixed-in-wsl2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@trajano @boypt @gusbemacbe @therealkenc @benhillis @Rosalie241