I am trying to enable user namespaces on Docker. This of course requires user namespaces to be enabled in the kernel.
One of the steps to enable user namespaces in RHEL/CentOS is to:
echo "user.max_user_namespaces=15000" >> /etc/sysctl.conf
Because max_user_namespaces is 0 by default.
After this, you must either reboot or just execute sysctl -p
to load the sysctl settings in sysctl.conf. Once the settings are loaded, /proc/sys/user/max_user_namespaces
should contain 15000. This works just fine on RHEL 7.4 (kernel: 3.10.0-957.10.1.el7.x86_64).
And it also works on CentOS 7.4 (kernel: 3.10.0-693.10.1.el7.x86_64) when I run sysctl -p
. But if I reboot, max_user_namespaces gets set back to 0.
I checked the status of the systemd-sysctl service to find that it had an active (exited)
status:
● systemd-sysctl.service - Apply Kernel Variables
Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled)
Active: active (exited) since Wed 2019-04-03 16:15:34 WEST; 16s ago
Docs: man:systemd-sysctl.service(8)
man:sysctl.d(5)
Process: 2786 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
Main PID: 2786 (code=exited, status=0/SUCCESS)
Apr 03 16:15:34 localhost.localdomain systemd[1]: Starting Apply Kernel Variables...
Apr 03 16:15:34 localhost.localdomain systemd[1]: Started Apply Kernel Variables.
Upon closer inspection, I found that every time the systemd-sysctl service is started, it fails due to a 'Permission denied' error when it tries to write to /proc/sys/user/max_user_namespaces
:
$ journalctl -xn
[...]
Apr 03 16:15:34 localhost.localdomain sudo[2779]: user : TTY=tty1 ; PWD=/home/user ; USER=root ; COMMAND=/bin/systemctl start systemd-sysctl
Apr 03 16:15:34 localhost.localdomain polkitd[763]: Registered Authentication Agent for unix-process:2780:7181831 (system bus name :1.51 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 03 16:15:34 localhost.localdomain systemd[1]: Starting Apply Kernel Variables...
-- Subject: Unit systemd-sysctl.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-sysctl.service has begun starting up.
Apr 03 16:15:34 localhost.localdomain systemd-sysctl[2786]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied
Apr 03 16:15:34 localhost.localdomain systemd[1]: Started Apply Kernel Variables.
-- Subject: Unit systemd-sysctl.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-sysctl.service has finished starting up.
--
-- The start-up result is done.
Apr 03 16:15:34 localhost.localdomain polkitd[763]: Unregistered Authentication Agent for unix-process:2780:7181831 (system bus name :1.51, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Here are the permissions of the file (in both RHEL and CentOS):
$ ls -l /proc/sys/user/max_user_namespaces
-rw-r--r--. 1 root root 0 Apr 3 10:10 /proc/sys/user/max_user_namespaces
As I said, I am able to change it with sysctl -p
or by editing it directly using sudo. Why can't the systemd-sysctl service write to it?
Mind you that the exact same thing works on RHEL... I have no idea what the problem is and I coudn't find an answer anywhere. There is this question, but it's still unanswered.
Any ideas?