what about requiring sudo to do nsenter? (even when using runc rootless)
On Mon, Mar 5, 2018 at 4:09 PM, Giuseppe Scrivano <gscri...@redhat.com>
wrote:
> Muayyad AlSadi <als...@gmail.com> writes:
>
> > when using runc
> >
> > $ mypid=`runc list | tail -n 1 | awk '{print $2}'`
> > $ nsenter -a -t $mypid /bin/sh
> > nsenter: reassociate to namespace 'ns/cgroup' failed: Operation not
> permitted
> > $ sudo nsenter -a -t $mypid /bin/sh
> > # worked fine
> >
> > but when using bwraps
> >
> > $ mypid=`bwrap-oci list | tail -n 1 | awk '{print $2}'
> > $ nsenter -a -t $mypid /bin/sh
> > nsenter: reassociate to namespace 'ns/net' failed: Operation not
> permitted
> > $ sudo nsenter -a -t $mypid /bin/sh
> > nsenter: failed to execute /bin/sh: No such file or directory
>
> I guess that is an issue in bwrap as it internally uses chroot instead
> of a pivot_root. This PR should probably fix the problem you are
> seeing:
>
> https://github.com/projectatomic/bubblewrap/pull/256
>
> Giuseppe
>
