clone: operation not permitted

2019-06-28 00:41发布

问题:

I am using isolate, an isolator to isolate the execution of another program using Linux Containers. It's very handy and it works very well locally on my computer (I can run fork bombs and infinite loops and it protects everything).

Now I'm trying to get this to work on an Ubuntu 12.04 server I have, but I'm having some difficulties with it. It's a fresh server too.

When I run:

sudo isolate --run -- mycommand

(mycommand I usually try python3 or something), I get:

clone: Operation not permitted

So, I dug up on the clone function (called like this in isolate.c):

box_pid = clone(
  box_inside,           // Function to execute as the body of the new process
  argv,         // Pass our stack
  SIGCHLD | CLONE_NEWIPC | CLONE_NEWNET | CLONE_NEWNS | CLONE_NEWPID,
  argv);            // Pass the arguments
if (box_pid < 0)
  die("clone: %m");
if (!box_pid)
  die("clone returned 0");
box_keeper();

Here's the Return Value of the function clone:

On success, the thread ID of the child process is returned in the caller's thread of execution. On failure, -1 is returned in the caller's context, no child process will be created, and errno will be set appropriately.

And this is the error I'm getting:

EPERM Operation not permitted (POSIX.1)

And then I also found this:

EPERM CLONE_NEWNS was specified by a non-root process (process without CAP_SYS_ADMIN).

The clone function is indeed passing CLONE_NEWNS to run the program in a new namespace. I actually tried removing but I keep getting clone: Operation not permitted.

So, it all seems to point out to not having root privileges, but I actually ran the command as root (with and without sudo just to be sure), and also with a normal user in the sudoers group. None of that worked, but it works very well locally. Root privileges work for everything else but for some reason when I run this isolate program, it doesn't work.

I tried both with isolate in /usr/bin and running ./isolate in a local folder too.

回答1:

I had this issue because I was trying to use isolate within a docker container.

Rerunning the container with the --privileged flag fixed it for me.



标签: linux root sudo