Filesystem permission problems with user namespaces and debootstrap

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0














I want to build a lightweight process isolation tool built on linux features like namespaces and chroot (in order to understand them better).



I am currently running the following commands to start an isolated process:



sudo debootstrap --no-merged-usr stable /container/1 # get a root file system
unshare --mount --uts --ipc --net --fork --user --map-root-user /bin/bash
chroot /container/1 /bin/bash
unshare --pid --fork /bin/bash # Just to have PID=1
mount -t proc none /proc
mount -t sysfs none /sys
mount -t tmpfs none /tmp


As far as I can tell this isolates the /bin/bash process from all other processes and filesystems. The problem is that every file in the chroot environment (and beyond) is owned by nobody:nogroup, which means nothing works that includes changing files.
In the root namespace the files are owned by the root user (from the debootstrap command).



My idea to fix this was to run the debootstrap command in the same user namespace as the final process. I got this result:



$ unshare --fork --user --map-root-user
# debootstrap stable /container/2
mknod: /home/mocc/test2/test-dev-null: Operation not permitted
E: Cannot install into target '/home/mocc/test2' mounted with noexec or nodev


Remounting the filesystem as mentioned in Cannot install into target mounted with noexec or nodev while doing qemu-deboot strapping didn't work.



Does someone know how to run debootstrap within a user namespace or another solution to the initial problem?






namespace debootstrap unshare







share|improve this question

















  • 1




    the unshare command is not designed to handle complex uid translations (it translates only current user to root with --map-root-user). So you'll need an other tool to handle this (eg lxc, or maybe newuidmap), along first a translation (using some manual script doing a lot of chown) of all the uid to an other range. See man subuid to get an idea.
    – A.B
    Dec 13 at 23:53
















0














I want to build a lightweight process isolation tool built on linux features like namespaces and chroot (in order to understand them better).



I am currently running the following commands to start an isolated process:



sudo debootstrap --no-merged-usr stable /container/1 # get a root file system
unshare --mount --uts --ipc --net --fork --user --map-root-user /bin/bash
chroot /container/1 /bin/bash
unshare --pid --fork /bin/bash # Just to have PID=1
mount -t proc none /proc
mount -t sysfs none /sys
mount -t tmpfs none /tmp


As far as I can tell this isolates the /bin/bash process from all other processes and filesystems. The problem is that every file in the chroot environment (and beyond) is owned by nobody:nogroup, which means nothing works that includes changing files.
In the root namespace the files are owned by the root user (from the debootstrap command).



My idea to fix this was to run the debootstrap command in the same user namespace as the final process. I got this result:



$ unshare --fork --user --map-root-user
# debootstrap stable /container/2
mknod: /home/mocc/test2/test-dev-null: Operation not permitted
E: Cannot install into target '/home/mocc/test2' mounted with noexec or nodev


Remounting the filesystem as mentioned in Cannot install into target mounted with noexec or nodev while doing qemu-deboot strapping didn't work.



Does someone know how to run debootstrap within a user namespace or another solution to the initial problem?






namespace debootstrap unshare







share|improve this question

















  • 1




    the unshare command is not designed to handle complex uid translations (it translates only current user to root with --map-root-user). So you'll need an other tool to handle this (eg lxc, or maybe newuidmap), along first a translation (using some manual script doing a lot of chown) of all the uid to an other range. See man subuid to get an idea.
    – A.B
    Dec 13 at 23:53














0












0








0







I want to build a lightweight process isolation tool built on linux features like namespaces and chroot (in order to understand them better).



I am currently running the following commands to start an isolated process:



sudo debootstrap --no-merged-usr stable /container/1 # get a root file system
unshare --mount --uts --ipc --net --fork --user --map-root-user /bin/bash
chroot /container/1 /bin/bash
unshare --pid --fork /bin/bash # Just to have PID=1
mount -t proc none /proc
mount -t sysfs none /sys
mount -t tmpfs none /tmp


As far as I can tell this isolates the /bin/bash process from all other processes and filesystems. The problem is that every file in the chroot environment (and beyond) is owned by nobody:nogroup, which means nothing works that includes changing files.
In the root namespace the files are owned by the root user (from the debootstrap command).



My idea to fix this was to run the debootstrap command in the same user namespace as the final process. I got this result:



$ unshare --fork --user --map-root-user
# debootstrap stable /container/2
mknod: /home/mocc/test2/test-dev-null: Operation not permitted
E: Cannot install into target '/home/mocc/test2' mounted with noexec or nodev


Remounting the filesystem as mentioned in Cannot install into target mounted with noexec or nodev while doing qemu-deboot strapping didn't work.



Does someone know how to run debootstrap within a user namespace or another solution to the initial problem?






namespace debootstrap unshare







share|improve this question













I want to build a lightweight process isolation tool built on linux features like namespaces and chroot (in order to understand them better).



I am currently running the following commands to start an isolated process:



sudo debootstrap --no-merged-usr stable /container/1 # get a root file system
unshare --mount --uts --ipc --net --fork --user --map-root-user /bin/bash
chroot /container/1 /bin/bash
unshare --pid --fork /bin/bash # Just to have PID=1
mount -t proc none /proc
mount -t sysfs none /sys
mount -t tmpfs none /tmp


As far as I can tell this isolates the /bin/bash process from all other processes and filesystems. The problem is that every file in the chroot environment (and beyond) is owned by nobody:nogroup, which means nothing works that includes changing files.
In the root namespace the files are owned by the root user (from the debootstrap command).



My idea to fix this was to run the debootstrap command in the same user namespace as the final process. I got this result:



$ unshare --fork --user --map-root-user
# debootstrap stable /container/2
mknod: /home/mocc/test2/test-dev-null: Operation not permitted
E: Cannot install into target '/home/mocc/test2' mounted with noexec or nodev


Remounting the filesystem as mentioned in Cannot install into target mounted with noexec or nodev while doing qemu-deboot strapping didn't work.



Does someone know how to run debootstrap within a user namespace or another solution to the initial problem?






namespace debootstrap unshare




namespace debootstrap unshare






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 13 at 21:12









Benedikt Bock

10813




10813







  • 1




    the unshare command is not designed to handle complex uid translations (it translates only current user to root with --map-root-user). So you'll need an other tool to handle this (eg lxc, or maybe newuidmap), along first a translation (using some manual script doing a lot of chown) of all the uid to an other range. See man subuid to get an idea.
    – A.B
    Dec 13 at 23:53













  • 1




    the unshare command is not designed to handle complex uid translations (it translates only current user to root with --map-root-user). So you'll need an other tool to handle this (eg lxc, or maybe newuidmap), along first a translation (using some manual script doing a lot of chown) of all the uid to an other range. See man subuid to get an idea.
    – A.B
    Dec 13 at 23:53








1




1




the unshare command is not designed to handle complex uid translations (it translates only current user to root with --map-root-user). So you'll need an other tool to handle this (eg lxc, or maybe newuidmap), along first a translation (using some manual script doing a lot of chown) of all the uid to an other range. See man subuid to get an idea.
– A.B
Dec 13 at 23:53





the unshare command is not designed to handle complex uid translations (it translates only current user to root with --map-root-user). So you'll need an other tool to handle this (eg lxc, or maybe newuidmap), along first a translation (using some manual script doing a lot of chown) of all the uid to an other range. See man subuid to get an idea.
– A.B
Dec 13 at 23:53
















active

oldest

votes











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487870%2ffilesystem-permission-problems-with-user-namespaces-and-debootstrap%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487870%2ffilesystem-permission-problems-with-user-namespaces-and-debootstrap%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






-

Popular posts from this blog

Peggy Mitchell

Image
EastEnders character This article is about the soap opera character. For the British tennis player, see Peggy Michell. For the author, see Margaret Mitchell. Peggy Mitchell Barbara Windsor as Peggy Mitchell (2008) EastEnders character Portrayed by Jo Warne (1991) Barbara Windsor (1994–2016) Duration 1991, 1994–2010, 2013–2016 First appearance Episode 650 30 April 1991  ( 1991-04-30 ) Last appearance Episode 5286 17 May 2016  ( 2016-05-17 ) (appearance) Episode 5287 19 May 2016 (voiceover) Introduced by Michael Ferguson (1991) Barbara Emile (1994) Louise Berridge (2004) Kate Harwood (2005) Lorraine Newman (2013) Dominic Treadwell-Collins (2014) Spin-off appearances The Mitchells - Naked Truths (1998) Classification Former; regular Profile Other names Peggy Butcher Occupation Barmaid Businesswoman Pub landlady Jo Warne as Peggy Mitchell (1991) Family Family Mitchell Father Jack Martin Mother Lily Martin Sisters Aunt ...
Read more

Palaiologos

Image
Palaiologos Παλαιολόγος Palaeologus, Palaeologue Imperial Family Double-headed eagle with the family cypher Country Byzantine Empire, Duchy of Montferrat (remaining lineage after Empire annexed by Ottomans) Founded 11th century  ( 11th century ) Founder Nikephoros Palaiologos (first known) Final ruler Constantine XI Palaiologos (Byzantine Empire) Margaret Paleologa (Montferrat) Titles Byzantine Emperor Marquess of Montferrat Style(s) "Augustus" "Basileus" "Autokrator" Traditions Greek Orthodoxy (predominantly) Roman Catholicism (remaining lineage in Montferrat) Dissolution 1533  ( 1533 ) Cadet branches Claimants: House of Kastrioti (defunct) House of Rurik (defunct) Palaiologan dynasty Chronology Michael VIII 1259–1282 with Andronikos II as co-emperor, 1261–1282 Andronikos II 1282–1328 with Michael IX (1294–1320) and Andronikos III (1321–1328) as co-emperors Andronikos III 1328–1341 John...
Read more

The Forum (Inglewood, California)

Image
The Forum "LA Forum" Prairie Ave. façade of The Forum in 2014 Full name The Forum, presented by Chase Former names The Forum (1967–1988) Great Western Forum (1988–2003) Address 3900 W. Manchester Blvd Location Inglewood, California Coordinates Coordinates: 33°57′29″N 118°20′31″W  /  33.95806°N 118.34194°W  / 33.95806; -118.34194 Public transit     Downtown Inglewood station Owner The Madison Square Garden Company Operator MSG Entertainment Seating type Reserved Capacity 17,500 Half-bowl: 8,000 Construction Broke ground July 1, 1966  ( 1966-07-01 ) Opened December 30, 1967  ( 1967-12-30 ) Renovated 1988, 2012–2014 Construction cost $16 million Renovation: 2014: $76.5 million Architect Charles Luckman Associates (original) Brisbin Brook Beynon (renovation) Structural engineer Johnson & Nielsen Associates (original) Severud Associates (renovation) Genera...
Read more