From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <imz@altlinux.org>
Date: Thu, 24 Oct 2019 01:06:37 +0300 (MSK)
From: Ivan Zakharyaschev <imz@altlinux.org>
To: ALT Linux Sisyphus discussions <sisyphus@lists.altlinux.org>
In-Reply-To: <CAN5SjAD4ysbb_TQ4FJGCOXUU8TmLzrYd4XNBUqvVncvXiWoNOg@mail.gmail.com>
Message-ID: <alpine.LFD.2.20.1910240102540.28829@imap.altlinux.org>
References: <CAN5SjAD4ysbb_TQ4FJGCOXUU8TmLzrYd4XNBUqvVncvXiWoNOg@mail.gmail.com>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed;
 BOUNDARY="1807885841-2020521662-1571868397=:28829"
Subject: Re: [sisyphus] electron v 5.0 and user namespaces feature
X-BeenThere: sisyphus@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux Sisyphus discussions <sisyphus@lists.altlinux.org>
List-Id: ALT Linux Sisyphus discussions <sisyphus.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/sisyphus>,
 <mailto:sisyphus-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/sisyphus>
List-Post: <mailto:sisyphus@lists.altlinux.org>
List-Help: <mailto:sisyphus-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/sisyphus>,
 <mailto:sisyphus-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 22:06:38 -0000
Archived-At: <http://lore.altlinux.org/sisyphus/alpine.LFD.2.20.1910240102540.28829@imap.altlinux.org/>
List-Archive: <http://lore.altlinux.org/sisyphus/>
List-Post: <mailto:sisyphus@altlinux.ru>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--1807885841-2020521662-1571868397=:28829
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8BIT

On Tue, 22 Oct 2019, Michael Bykov wrote:

> Салют,

Hello!

> Тут у всех Линуксов все должно работать, но у нас (и в Arch) - опять ошибка
> $ npm start
> 
> The setuid sandbox is not running as root. Common causes:
>   * An unprivileged process using ptrace on it, like a debugger.
>   * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
> Failed to move to new namespace: PID namespaces supported, Network
> namespace supported, but failed: errno = Operation not permitted
> 
> Отлично, говорят лечится
> 
> https://github.com/electron/electron/issues/17972:
> 
> $ sudo sysctl kernel.unprivileged_userns_clone=1
> 
> или https://github.com/jessfraz/dockerfiles/issues/65#issuecomment-266532289:
> 
> $ echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf
> $ service procps restart
> 
> Но у нас такие штуки не проходят, естественно.
> sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No
> such file or directory
> 
> И как быть?
> 
> Вот что они пишут:
> ------------
> Here's an article I found describing the background of why it's not
> enabled by default: Controlling access to user namespaces and here's
> how to enable it (from Enable user namespaces in Debian kernel):
> https://lwn.net/Articles/673597/
> http://superuser.com/questions/1094597/enable-user-namespaces-in-debian-kernel
> -------------

https://unix.stackexchange.com/a/303214/4319

Володя Селёзнев дал этот конкретный ответ уже:
sysctl -w kernel.userns_restrict=0

> У меня p8 + Сизиф:
> 
> $ uname -a
>                                 (git)-[master]
> Linux asus 4.9.133-std-def-alt0.M80P.1 #1 SMP Mon Oct 15 16:46:38 UTC
> 2018 x86_64 GNU/Linux

-- 
Best regards,
Ivan
--1807885841-2020521662-1571868397=:28829--