Skip to content

Deactivate kernel.unprivileged_userns_clone do

It looks like unprivileged user namespace isn't compiled in the greenhost kernel I tried earlier this week:

> TASK [openvpn : sysctl] ********************************************************************************
> fatal: [gateway1]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": false, "msg": "Failed to reload sysctl: kernel.panic = 10\nkernel.panic_on_oops = 1\nkernel.printk = 3 4 1 3\nnet.ipv4.ip_local_port_range = 20000 65535\nnet.ipv4.tcp_fin_timeout = 30\nnet.ipv4.tcp_keepalive_time = 1800\nnet.ipv4.tcp_keepalive_intvl = 30\nnet.ipv4.tcp_keepalive_probes = 5\nnet.ipv4.tcp_max_syn_backlog = 8192\nnet.ipv4.tcp_synack_retries = 2\nnet.ipv4.tcp_syn_retries = 2\nnet.core.rmem_max = 8738000\nnet.core.wmem_max = 6553600\nnet.ipv4.tcp_rmem = 8192 873800 8738000\nnet.ipv4.tcp_wmem = 4096 655360 6553600\nnet.core.somaxconn = 4000\nnet.core.netdev_max_backlog = 4000\nvm.max_map_count = 262144\nnet.netfilter.nf_conntrack_max = 524288\nfs.suid_dumpable = 0\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\nnet.ipv6.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\ndev.tty.ldisc_autoload = 0\nfs.protected_fifos = 2\nfs.protected_hardlinks = 1\nfs.protected_regular = 2\nfs.protected_symlinks = 1\nkernel.kptr_restrict = 2\nkernel.perf_event_paranoid = 3\nkernel.sysrq = 0\nkernel.yama.ptrace_scope = 1\nnet.ipv4.ip_forward = 1\nsysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory\n"}

Because it's not there, you can't switch it on or off.

diff --git a/float/roles/float-base/templates/sysctl.conf.j2 b/float/roles/float-base/templates/sysctl.conf.j2
index 2a443ea..0433eac 100644
--- a/float/roles/float-base/templates/sysctl.conf.j2
+++ b/float/roles/float-base/templates/sysctl.conf.j2
@@ -119,7 +119,7 @@ kernel.unprivileged_bpf_disabled=1
 # Disable unprivileged user namespaces
 # https://lwn.net/Articles/673597
 # (linux-hardened default)
-kernel.unprivileged_userns_clone=0
+# kernel.unprivileged_userns_clone=0

It probably should check if the module is there rather than me manually hacking it out.

Edited by kwadronaut
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information