如何使用CLONE_NEWUSER标志

Question

从sample测试Containerization with LXC以演示用户名称空间。

应该在新用户命名空间中打印子进程的两个输出，并从父进程输出。

# ./user_namespace
UID outside the namespace is 0
GID outside the namespace is 0
UID inside the namespace is 65534
GID inside the namespace is 65534

但是，它只显示父输出。

UID outside the namespace is 1000
GID outside the namespace is 1000

请帮助理解子进程未打印的原因。

Code

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sched.h>
#include <signal.h>

static int childFunc(void *arg)
{
    printf("UID inside the namespace is %ld\n", (long)geteuid());
    printf("GID inside the namespace is %ld\n", (long)getegid());
}

static char child_stack[1024*1024];

int main(int argc, char *argv[])
{
    pid_t child_pid;

    /* child_pid = clone(childFunc, child_stack + (1024*1024), CLONE_NEWUSER, 0);*/

    child_pid = clone(&childFunc, child_stack + (1024*1024), CLONE_NEWUSER, 0);

    printf("UID outside the namespace is %ld\n", (long)geteuid());
    printf("GID outside the namespace is %ld\n", (long)getegid());
    waitpid(child_pid, NULL, 0);
    exit(EXIT_SUCCESS);
}

环境

$ uname -r
3.10.0-693.21.1.el7.x86_64

$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
CPE_NAME="cpe:/o:centos:centos:7"

参考

• How to use clone() to make parent process and child process run at the same time?
• man clone

更新

根据the jonny的回答，它是启用用户名称空间。对于RHEL / CentOS 7，Is it safe to enable user namespaces in CentOS 7.4 and how to do it?

• User namespaces no longer work in RHEL 7.4

  

默认情况下，新的7.4内核将用户名称空间的数量限制为0.要解决此问题，请增加用户名称空间限制：
  echo 15000＆gt;的/ proc / SYS /用户/ max_user_namespaces

Answer 1

可能禁用了非特权用户命名空间。由于您没有检查clone的返回值，您将不会注意到。在我的系统上运行strace打印：

.... startup stuff ...
clone(child_stack=0x55b41f2a4070, flags=CLONE_NEWUSER) = -1 EPERM (Operation not permitted)
geteuid()                               = 1000
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 6), ...}) = 0
brk(NULL)                               = 0x55b4200b8000
brk(0x55b4200d9000)                     = 0x55b4200d9000
write(1, "UID outside the namespace is 100"..., 34UID outside the namespace is 1000
) = 34
getegid()                               = 1000
write(1, "GID outside the namespace is 100"..., 34GID outside the namespace is 1000
) = 34
wait4(-1, NULL, 0, NULL)                = -1 ECHILD (No child processes)
exit_group(0)   = ?

所以克隆因此waitpid失败，没有子进程。

请参阅此处以启用用户权限：https://superuser.com/questions/1094597/enable-user-namespaces-in-debian-kernel