sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

[peterlewis]

On launch of .appimage the following presents:

sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

I note that this error is present in your screenshot and seems to relate to lines 61-65 in entrypoint.sh. Does this simply require some if embellishment, or is it left to error for some more significant reason that I don't understand?

Thanks, btw! This looks great! :)

[popsUlfr]

Well, it's a kernel option that should have been left enabled in the kernel by Valve so that users can decide to tighten their security if they want by disabling it. unprivileged_userns_clone is always enabled which is good for rootless podman but gives less configuration potential to the user.

I don't really want to silence any errors on sysctl since it could be useful for debugging, it will print this to stderr on SteamOS as a harmless warning in that instance since the option is always enabled just not configurable. On other distros the unprivileged_userns_clone switch will be available and no warning/error will be printed.

Maybe I should use the -e switch to ignore errors about unknown keys...

[peterlewis]

Thank you for the prompt reply! If unprivileged_userns_clone is always enabled on SteamOS then would it be suitable to exclude that check when lsb_release -si returns SteamOS?

I've put together a PR for this at #2

[popsUlfr]

I appreciate the attempt but please no distro checking like this, the error could happen on any distro if the kernel does not have the option enabled.

Simply adding the -e switch to sysctl should silence the error.

[peterlewis]

Sure thing. Just for your info, from my testing I experienced issues with the -ne 1 as it was expecting an integer as opposed to a string.

[popsUlfr]

I'm a bit embarrassed that it took me a while to catch the real issue with the sysctl line:

sysctl -n kernel.unprivileged_userns_clone >&2 || echo 1

This sends the value if there is any to stderr so nothing will ever get checked against 1 /facepalm

This is hopefully better:

"$(sysctl -e -n kernel.unprivileged_userns_clone)" = "0"

[thimslugga]

I just wanted to mention that this setting does not exist in the upstream mainline kernel and it will only exist on distros that have applied certain patches to their respective kernel.

https://lwn.net/Articles/673597/

[popsUlfr]

I just wanted to mention that this setting does not exist in the upstream mainline kernel and it will only exist on distros that have applied certain patches to their respective kernel.

https://lwn.net/Articles/673597/

I think most distro kernels have the setting, at least the arch kernel has it. The Hardened kernel has it set to 0 so for rootless mode to work it needs to be set to 1. In case the setting is not available, "$(sysctl -e -n kernel.unprivileged_userns_clone)" = "0" will match empty string against 0 therefore it will ignore trying to set the sysctl value :)

[thimslugga]

@popsUlfr debian based and and arch based distros are the ones I've seen with the patch applied.

I forked your implementation and updated podman, dependencies and refactored some stuff. I haven't done a pull request as some of the changes are more than minor tweaks. Let me know if you're interested in a pull request.

https://github.com/thimslugga/podman-appimage

[popsUlfr]

@popsUlfr debian based and and arch based distros are the ones I've seen with the patch applied.

I forked your implementation and updated podman, dependencies and refactored some stuff. I haven't done a pull request as some of the changes are more than minor tweaks. Let me know if you're interested in a pull request.

https://github.com/thimslugga/podman-appimage

A pull request would be fantastic. Thank you for looking into updating this, I haven't had the time to up the version myself.

[thimslugga]

A pull request would be fantastic. Thank you for looking into updating this, I haven't had the time to up the version myself.

pull request #3