On 2020-12-07, zimoun wrote:
> On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt <mail@ambrevar.xyz> wrote:
>
>>> Can you try, as root on Guix System:
>>>
>>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>>
>> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
>
> In gnu/build/linux-container.scm, it reads:
>
> --8<---------------cut here---------------start------------->8---
> (define (unprivileged-user-namespace-supported?)
>   "Return #t if user namespaces can be created by unprivileged users."
>   (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
>     (if (file-exists? userns-file)
>         (eqv? #\1 (call-with-input-file userns-file read-char))
>         #t)))
> --8<---------------cut here---------------end--------------->8---
>
> Does it mean that the Linux kernel on Guix System does not support
> namespaces by unprivileged users?

> Turning #t to #f should work on Guix System and it appears to me a
> severe bug if not.  What do I miss?  Please could someone fill my gap? :-)

The /proc/sys/kernel_unprivileged_userns_clone file is specific to
Debian and Ubuntu packaged linux kernel; it is a patchset not applied
upstream, as far as I am aware. I'm not sure if other distros support
disabling and enabling this feature using this mechanism.

  https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

live well,
  vagrant