User Namespace in Red Hat Enterprise Linux 7.2
June 25, 2016
Red Hat announced the availability of user namespace in RHEL 7.2 release notes, but they don’t give details on how to use them. By default in RHEL 7.2, user namespaces are disabled.
Verify if user namespace is enabled
You can run a quick check by executing the
demo_userns.c program, that creates a child
in new user namespace. The child simply prints its effective user, groupd IDs
and capabilities. If it runs successfuly, then namespaces are already enabled
for you. However, if it returns something like clone: Invalid argument, then user
namespaces are disabled.
You might need to install following libraries to run the demo_userns.c:
sudo yum install libcap-develCompile it using lcap:
gcc -lcap demo_ns.c -o demo_nsEnable user namespace
To enable user namespace, you need to change one of the kernel parameters. You can do it by running following command:
sudo grubby --args="user_namespace.enable=1" \
--update-kernel=/boot/vmlinuz-3.10.0-327.el7.x86_64Note: you might need to change the version of vmlinuz executable.
Reboot the box.
Now you can verify by running demo_userns.c again and it should print user id, group id and capabilities
eUID = 65534; eGID = 65534; capabilities: = cap_chown,cap_dac_override,
cap_dac_read_search, cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,
...Till then.