<-- home

User Namespace in Red Hat Enterprise Linux 7.2

Red Hat announced the availability of user namespace in RHEL 7.2 release notes, but they don’t give details on how to use them. By default in RHEL 7.2, user namespaces are disabled.

Verify if user namespace is enabled

You can run a quick check by executing the demo_userns.c program, that creates a child in new user namespace. The child simply prints its effective user, groupd IDs and capabilities. If it runs successfuly, then namespaces are already enabled for you. However, if it returns something like clone: Invalid argument, then user namespaces are disabled.

You might need to install following libraries to run the demo_userns.c:

sudo yum install libcap-devel

Compile it using lcap:

gcc -lcap demo_ns.c -o demo_ns

Enable user namespace

To enable user namespace, you need to change one of the kernel parameters. You can do it by running following command:

sudo grubby --args="user_namespace.enable=1" \
  --update-kernel=/boot/vmlinuz-3.10.0-327.el7.x86_64

Note: you might need to change the version of vmlinuz executable.

Reboot the box.

Now you can verify by running demo_userns.c again and it should print user id, group id and capabilities

eUID = 65534;  eGID = 65534;  capabilities: = cap_chown,cap_dac_override,
cap_dac_read_search, cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,
...

Till then.