1

I am trying to enable user namespaces on Docker. This of course requires user namespaces to be enabled in the kernel.

One of the steps to enable user namespaces in RHEL/CentOS is to:

echo "user.max_user_namespaces=15000" >> /etc/sysctl.conf

Because max_user_namespaces is 0 by default. After this, you must either reboot or just execute sysctl -p to load the sysctl settings in sysctl.conf. Once the settings are loaded, /proc/sys/user/max_user_namespaces should contain 15000. This works just fine on RHEL 7.4 (kernel: 3.10.0-957.10.1.el7.x86_64).

And it also works on CentOS 7.4 (kernel: 3.10.0-693.10.1.el7.x86_64) when I run sysctl -p. But if I reboot, max_user_namespaces gets set back to 0.
I checked the status of the systemd-sysctl service to find that it had an active (exited) status:

● systemd-sysctl.service - Apply Kernel Variables
  Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled)
  Active: active (exited) since Wed 2019-04-03 16:15:34 WEST; 16s ago
    Docs: man:systemd-sysctl.service(8)
          man:sysctl.d(5)
 Process: 2786 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
Main PID: 2786 (code=exited, status=0/SUCCESS)

Apr 03 16:15:34 localhost.localdomain systemd[1]: Starting Apply Kernel Variables...
Apr 03 16:15:34 localhost.localdomain systemd[1]: Started Apply Kernel Variables.

Upon closer inspection, I found that every time the systemd-sysctl service is started, it fails due to a 'Permission denied' error when it tries to write to /proc/sys/user/max_user_namespaces:

$ journalctl -xn
[...]
Apr 03 16:15:34 localhost.localdomain sudo[2779]:     user : TTY=tty1 ; PWD=/home/user ; USER=root ; COMMAND=/bin/systemctl start systemd-sysctl
Apr 03 16:15:34 localhost.localdomain polkitd[763]: Registered Authentication Agent for unix-process:2780:7181831 (system bus name :1.51 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 03 16:15:34 localhost.localdomain systemd[1]: Starting Apply Kernel Variables...
-- Subject: Unit systemd-sysctl.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit systemd-sysctl.service has begun starting up.
Apr 03 16:15:34 localhost.localdomain systemd-sysctl[2786]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied
Apr 03 16:15:34 localhost.localdomain systemd[1]: Started Apply Kernel Variables.
-- Subject: Unit systemd-sysctl.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit systemd-sysctl.service has finished starting up.
-- 
-- The start-up result is done.
Apr 03 16:15:34 localhost.localdomain polkitd[763]: Unregistered Authentication Agent for unix-process:2780:7181831 (system bus name :1.51, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Here are the permissions of the file (in both RHEL and CentOS):

$ ls -l /proc/sys/user/max_user_namespaces
-rw-r--r--. 1 root root 0 Apr  3 10:10 /proc/sys/user/max_user_namespaces

As I said, I am able to change it with sysctl -p or by editing it directly using sudo. Why can't the systemd-sysctl service write to it?

Mind you that the exact same thing works on RHEL... I have no idea what the problem is and I coudn't find an answer anywhere. There is this question, but it's still unanswered.

Any ideas?

Improve this question
2
  • sysctl in container: stackoverflow.com/questions/54845095/…
    – cptPH
    Commented Dec 17, 2019 at 12:19
  • Thanks, but that is not relevant since my issue is not really Docker related. I'm just not able to enable user namespaces automatically on boot in CentOS.
    – gfields
    Commented Dec 19, 2019 at 9:37

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .