syscall: exec_linux_test.go fails on CentOS 7

[luohoufu]

Please answer these questions before submitting your issue. Thanks!

1. What version of Go are you using (go version)?

   master branch

2. What operating system and processor architecture are you using (go env)?

   centos 7 x86_64

3. What did you do?

   build go from source

4. What did you expect to see?

   build pass

5. What did you see instead?

   --- FAIL: TestCloneNEWUSERAndRemapRootDisableSetgroups (0.00s)
   exec_linux_test.go:81: Cmd failed with err fork/exec /usr/bin/whoami: invalid argument, output:
   --- FAIL: TestCloneNEWUSERAndRemapRootEnableSetgroups (0.00s)
   exec_linux_test.go:81: Cmd failed with err fork/exec /usr/bin/whoami: invalid argument, output:
   --- FAIL: TestEmptyCredGroupsDisableSetgroups (0.00s)
   exec_linux_test.go:129: fork/exec /usr/bin/whoami: invalid argument
   --- FAIL: TestGroupCleanupUserNamespace (0.00s)
   exec_linux_test.go:232: Cmd failed with err fork/exec /usr/bin/id: invalid argument, output:
   FAIL
   FAIL syscall

[ianlancetaylor]

Are you building as root or some other user?

[ianlancetaylor]

CC @LK4D4

[LK4D4]

@luohoufu could you check if /proc/self/ns/user exists from your shell?
Also worth to check kernel version and CONFIG_USER_NS in /proc/config.gz or maybe it's somewhere in /boot on centos.

[ianlancetaylor]

It may also help to run

go test -c syscall
strace -f ./syscall.test

That should show us exactly which system call is failing with EINVAL.

[luohoufu]

@ianlancetaylor
i building go source code as root.
@LK4D4
[root@snails src]# uname -r
3.10.0-327.el7.x86_64
[root@snails src]# ll /proc/self/ns/user
lrwxrwxrwx 1 root root 0 7月 12 11:53 /proc/self/ns/user -> user:[4026531837]
[root@snails src]# grep CONFIG_USER_NS /boot/config-uname -r
CONFIG_USER_NS=y

[luohoufu]

[root@snails src]# go test -c syscall
[root@snails src]# strace -o /root/go/src/syscall.strace.txt -f /root/go/src/syscall.test
syscall.strace.txt

[LK4D4]

@luohoufu heh, sorry to ask you again, but can you try if unshare -Ur works for you from root and unprivileged user?

[luohoufu]

ah,i nerver use unshare,could you tell me how to use it as root user.

[LK4D4]

@luan it's just command line utility. So, I'm doing it's just from my shell.

[jessfraz]

I dont think centos 7 has userns enabled out of box? or maybe it's an selinux issue?

[jessfraz]

@luohoufu try running

$ unshare --user -- ls -la

[luohoufu]

@jfrazelle i can't run with the comman d

[root@snails boot]# unshare -h

Usage:
unshare [options] [...]

Run a program with some namespaces unshared from the parent.

Options:
-m, --mount unshare mounts namespace
-u, --uts unshare UTS namespace (hostname etc)
-i, --ipc unshare System V IPC namespace
-n, --net unshare network namespace
-p, --pid unshare pid namespace
-U, --user unshare user namespace
-f, --fork fork before launching
--mount-proc[=

] mount proc filesystem first (implies --mount)
-r, --map-root-user map current user to root (implies --user)
--propagation <slave|shared|private|unchanged>
modify mount propagation in mount namespace
-s, --setgroups allow|deny control the setgroups syscall in user namespaces

-h, --help display this help and exit
-V, --version output version information and exit

For more details see unshare(1).

[root@snails boot]# sestatus -v
SELinux status: disabled
[root@snails boot]# ll
总用量 71640
-rw-r--r-- 1 root root 126426 11月 20 2015 config-3.10.0-327.el7.x86_64
drwxr-xr-x 2 root root 4096 5月 3 13:49 grub
drwx------ 6 root root 4096 5月 12 21:40 grub2
-rw-r--r-- 1 root root 40860375 5月 3 13:52 initramfs-0-rescue-7d26c16f128042a684ea474c9e2c240f.img
-rw-r--r-- 1 root root 18222824 5月 3 15:44 initramfs-3.10.0-327.el7.x86_64.img
-rw-r--r-- 1 root root 602684 5月 3 13:50 initrd-plymouth.img
-rw-r--r-- 1 root root 252612 11月 20 2015 symvers-3.10.0-327.el7.x86_64.gz
-rw------- 1 root root 2963044 11月 20 2015 System.map-3.10.0-327.el7.x86_64
-rwxr-xr-x 1 root root 5156528 5月 3 13:53 vmlinuz-0-rescue-7d26c16f128042a684ea474c9e2c240f
-rwxr-xr-x 1 root root 5156528 11月 20 2015 vmlinuz-3.10.0-327.el7.x86_64
[root@snails boot]# dmesg | grep -i xen
[ 0.000000] DMI: Xen HVM domU, BIOS 4.0.1 12/16/2014
[ 0.000000] Hypervisor detected: Xen HVM
[ 0.000000] Xen version 4.0.
[ 0.000000] Xen Platform PCI: I/O protocol version 1
[ 0.000000] Netfront and the Xen platform PCI driver have been compiled for this kernel: unplug emulated NICs.
[ 0.000000] Blkfront and the Xen platform PCI driver have been compiled for this kernel: unplug emulated disks.
[ 0.000000] ACPI: RSDP 00000000000ea020 00024 (v02 Xen)
[ 0.000000] ACPI: XSDT 00000000fc012cb0 00034 (v01 Xen HVM 00000000 HVML 00000000)
[ 0.000000] ACPI: FACP 00000000fc012ad0 000F4 (v04 Xen HVM 00000000 HVML 00000000)
[ 0.000000] ACPI: DSDT 00000000fc002c40 0FE0B (v02 Xen HVM 00000000 INTL 20090123)
[ 0.000000] ACPI: APIC 00000000fc012bd0 000D8 (v02 Xen HVM 00000000 HVML 00000000)
[ 0.000000] Booting paravirtualized kernel on Xen HVM
[ 0.000000] xen:events: Xen HVM callback vector for event delivery is enabled
[ 0.060613] Xen: using vcpuop timer interface
[ 0.060622] installing Xen timer for CPU 0
[ 0.061976] installing Xen timer for CPU 1
[ 0.387036] xen:balloon: Initialising balloon driver
[ 0.397052] xen_balloon: Initialising balloon driver
[ 0.402026] Switching to clocksource xen
[ 1.086760] xen:grant_table: Grant tables using version 1 layout
[ 1.112874] xenbus_probe_frontend: Device with no driver: device/vkbd/0
[ 1.112876] xenbus_probe_frontend: Device with no driver: device/vfb/0
[ 1.112878] xenbus_probe_frontend: Device with no driver: device/vbd/768
[ 1.112879] xenbus_probe_frontend: Device with no driver: device/vbd/51728
[ 1.112880] xenbus_probe_frontend: Device with no driver: device/vif/0
[ 1.112882] xenbus_probe_frontend: Device with no driver: device/vif/1
[ 1.118554] systemd[1]: Detected virtualization xen.
[ 1.532430] xen_netfront: Initialising Xen virtual ethernet driver
[ 6.496103] input: Xen Virtual Keyboard as /devices/virtual/input/input6
[ 6.496212] input: Xen Virtual Pointer as /devices/virtual/input/input7
[ 11.560036] xenbus_probe_frontend: Waiting for devices to initialise: 25s...20s...15s...10s...5s...0s...
[ 36.561321] xenbus_probe_frontend: Timeout connecting to device: device/vkbd/0 (local state 3, remote state 1)

maybe the linux kernel bug with xen?

[jessfraz]

What was the error when you ran the command giving help output doesn't help

On Thursday, July 14, 2016, Tonny notifications@github.com wrote:

@jfrazelle https://github.com/jfrazelle i can't run with the comman d

[root@snails boot]# unshare -h

Usage:
unshare [options] [...]

Run a program with some namespaces unshared from the parent.

Options:
-m, --mount unshare mounts namespace
-u, --uts unshare UTS namespace (hostname etc)
-i, --ipc unshare System V IPC namespace
-n, --net unshare network namespace
-p, --pid unshare pid namespace
-U, --user unshare user namespace
-f, --fork fork before launching
--mount-proc[=
] mount proc filesystem first (implies --mount)
-r, --map-root-user map current user to root (implies --user)
--propagation
modify mount propagation in mount namespace
-s, --setgroups allow|deny control the setgroups syscall in user namespaces

-h, --help display this help and exit
-V, --version output version information and exit

For more details see unshare(1).

[root@snails boot]# sestatus -v
SELinux status: disabled
[root@snails boot]# ll
总用量 71640
-rw-r--r-- 1 root root 126426 11月 20 2015 config-3.10.0-327.el7.x86_64
drwxr-xr-x 2 root root 4096 5月 3 13:49 grub
drwx------ 6 root root 4096 5月 12 21:40 grub2
-rw-r--r-- 1 root root 40860375 5月 3 13:52
initramfs-0-rescue-7d26c16f128042a684ea474c9e2c240f.img
-rw-r--r-- 1 root root 18222824 5月 3 15:44
initramfs-3.10.0-327.el7.x86_64.img
-rw-r--r-- 1 root root 602684 5月 3 13:50 initrd-plymouth.img
-rw-r--r-- 1 root root 252612 11月 20 2015 symvers-3.10.0-327.el7.x86_64.gz
-rw------- 1 root root 2963044 11月 20 2015 System.map-3.10.0-327.el7.x86_64
-rwxr-xr-x 1 root root 5156528 5月 3 13:53
vmlinuz-0-rescue-7d26c16f128042a684ea474c9e2c240f
-rwxr-xr-x 1 root root 5156528 11月 20 2015 vmlinuz-3.10.0-327.el7.x86_64
[root@snails boot]# dmesg | grep -i xen
[ 0.000000] DMI: Xen HVM domU, BIOS 4.0.1 12/16/2014
[ 0.000000] Hypervisor detected: Xen HVM
[ 0.000000] Xen version 4.0.
[ 0.000000] Xen Platform PCI: I/O protocol version 1
[ 0.000000] Netfront and the Xen platform PCI driver have been compiled
for this kernel: unplug emulated NICs.
[ 0.000000] Blkfront and the Xen platform PCI driver have been compiled
for this kernel: unplug emulated disks.
[ 0.000000] ACPI: RSDP 00000000000ea020 00024 (v02 Xen)
[ 0.000000] ACPI: XSDT 00000000fc012cb0 00034 (v01 Xen HVM 00000000 HVML
00000000)
[ 0.000000] ACPI: FACP 00000000fc012ad0 000F4 (v04 Xen HVM 00000000 HVML
00000000)
[ 0.000000] ACPI: DSDT 00000000fc002c40 0FE0B (v02 Xen HVM 00000000 INTL
20090123)
[ 0.000000] ACPI: APIC 00000000fc012bd0 000D8 (v02 Xen HVM 00000000 HVML
00000000)
[ 0.000000] Booting paravirtualized kernel on Xen HVM
[ 0.000000] xen:events: Xen HVM callback vector for event delivery is
enabled
[ 0.060613] Xen: using vcpuop timer interface
[ 0.060622] installing Xen timer for CPU 0
[ 0.061976] installing Xen timer for CPU 1
[ 0.387036] xen🎈 Initialising balloon driver
[ 0.397052] xen_balloon: Initialising balloon driver
[ 0.402026] Switching to clocksource xen
[ 1.086760] xen:grant_table: Grant tables using version 1 layout
[ 1.112874] xenbus_probe_frontend: Device with no driver: device/vkbd/0
[ 1.112876] xenbus_probe_frontend: Device with no driver: device/vfb/0
[ 1.112878] xenbus_probe_frontend: Device with no driver: device/vbd/768
[ 1.112879] xenbus_probe_frontend: Device with no driver: device/vbd/51728
[ 1.112880] xenbus_probe_frontend: Device with no driver: device/vif/0
[ 1.112882] xenbus_probe_frontend: Device with no driver: device/vif/1
[ 1.118554] systemd[1]: Detected virtualization xen.
[ 1.532430] xen_netfront: Initialising Xen virtual ethernet driver
[ 6.496103] input: Xen Virtual Keyboard as /devices/virtual/input/input6
[ 6.496212] input: Xen Virtual Pointer as /devices/virtual/input/input7
[ 11.560036] xenbus_probe_frontend: Waiting for devices to initialise:
25s...20s...15s...10s...5s...0s...
[ 36.561321] xenbus_probe_frontend: Timeout connecting to device:
device/vkbd/0 (local state 3, remote state 1)

maybe the linux kernel bug with xen?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#16283 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/ABYNbIDRs7JGyR-8yQwMqYvy1XspuR2yks5qVe-4gaJpZM4JG8gY
.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[ianlancetaylor]

Postponing to 1.8, since this only fails when run as root.

[luohoufu]

@jfrazelle
when i run you command which you give,i got error is "Invalid parameter",i use ushare -h just want to tell you the unshare usage maybe different with you platform。

[jessfraz]

what about unshare -Ur

[luohoufu]

@jfrazelle
when i run unshare -Ur i got the same error is "invalid parameter".

[jessfraz]

Can you strace it "strace -ff unshare -Ur "

On Monday, July 25, 2016, Tonny notifications@github.com wrote:

@jfrazelle https://github.com/jfrazelle
when i run unshare -Ur i got the same error is "invalid parameter".

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#16283 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABYNbJXYUao5SB43vPSQ2N5IZBOL5XLIks5qZZMJgaJpZM4JG8gY
.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[luohoufu]

@jfrazelle
`
[root@snails src]# go test -c syscall
[root@snails src]# locale
LANG=zh_CN.UTF-8
LC_CTYPE=zh_CN.UTF-8
LC_NUMERIC="zh_CN.UTF-8"
LC_TIME="zh_CN.UTF-8"
LC_COLLATE="zh_CN.UTF-8"
LC_MONETARY="zh_CN.UTF-8"
LC_MESSAGES="zh_CN.UTF-8"
LC_PAPER="zh_CN.UTF-8"
LC_NAME="zh_CN.UTF-8"
LC_ADDRESS="zh_CN.UTF-8"
LC_TELEPHONE="zh_CN.UTF-8"
LC_MEASUREMENT="zh_CN.UTF-8"
LC_IDENTIFICATION="zh_CN.UTF-8"
LC_ALL=
[root@snails src]# export LANG=en_US.UTF-8

[root@snails src]# strace -ff unshare -Ur
execve("/usr/bin/unshare", ["unshare", "-Ur"], [/* 26 vars */]) = 0
brk(0) = 0x2502000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fab59288000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=22259, ...}) = 0
mmap(NULL, 22259, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fab59282000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \34\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2112384, ...}) = 0
mmap(NULL, 3936832, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fab58ca6000
mprotect(0x7fab58e5d000, 2097152, PROT_NONE) = 0
mmap(0x7fab5905d000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b7000) = 0x7fab5905d000
mmap(0x7fab59063000, 16960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fab59063000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fab59281000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fab5927f000
arch_prctl(ARCH_SET_FS, 0x7fab5927f740) = 0
mprotect(0x7fab5905d000, 16384, PROT_READ) = 0
mprotect(0x602000, 4096, PROT_READ) = 0
mprotect(0x7fab59289000, 4096, PROT_READ) = 0
munmap(0x7fab59282000, 22259) = 0
geteuid() = 0
getegid() = 0
brk(0) = 0x2502000
brk(0x2523000) = 0x2523000
brk(0) = 0x2523000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=106065056, ...}) = 0
mmap(NULL, 106065056, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fab5277f000
close(3) = 0
unshare(CLONE_NEWUSER) = -1 EINVAL (Invalid argument)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2502, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fab59287000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2502
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7fab59287000, 4096) = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "unshare: ", 9unshare: ) = 9
write(2, "unshare failed", 14unshare failed) = 14
write(2, ": ", 2: ) = 2
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "Invalid argument\n", 17Invalid argument
) = 17
close(1) = 0
close(2) = 0
exit_group(1) = ?
+++ exited with 1 +++
`

[jessfraz]

I can repro this in a centos VM so I will fix

[jessfraz]

So the USER_NS support in centos 7 seems to be "fubar" (quoted from the first link)
It seems like they broke it, fixed it, then broke it again?
2 related bugzilla issues:
https://bugzilla.redhat.com/show_bug.cgi?id=917708
https://bugzilla.redhat.com/show_bug.cgi?id=1168776
maybe @vbatts knows 😇

[jperrin]

So, out of curiosity (I didn't see it mentioned earlier) you're doing this with 'user_namespace.enable=1' as a boot option to the kernel, correct?

[luohoufu]

@jperrin thx, now i not continue research this issue,just like @jfrazelle analyse。USER_NS support not well(maybe a bug) in CentOS 7 VM.

[jcajka]

I have done some testing with both RHEL 7 and CentOS 7 kernel and I haven't been able to reproduce this issue.

I guess the issue is that RHEL/CentOS 7 don't have the user namespaces enabled by default(and IIRC are not supported). You need to make sure to enable the user_namespace using the kernel boot parameter "user_namespace.enable=1".

To verify the user_namsepaces are enabled use "cat /sys/module/user_namespace/parameters/enable". Double checking the "cat /proc/cmdline" might be good to.

@luohoufu could you provide the output of the above cmds ?

[rsc]

From the discussion, it sounds like this is not a Go problem but a CentOS 7 VM problem. Shall we close it?

[jessfraz]

Yes it is a CentOS issue, +1 to close

[gopherbot]

Change https://golang.org/cl/49311 mentions this issue: syscall: update check for UserNS support for centos 7