When trying to use nsjail I keep getting permission errors:
For example, if I try the following command:
nsjail \
--chroot ./root \
-U 0:100000:65536 \
-G 0:100000:65536 \
--mount /nix/store \
--rw \
--hostname nsjail-container \
--disable_no_new_privs \
-- $(readlink result)/init
I get the following errors:
[I][2024-12-23T22:05:39+0200] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2024-12-23T22:05:39+0200] Uid map: inside_uid:0 outside_uid:100000 count:65536 newuidmap:true
[I][2024-12-23T22:05:39+0200] Gid map: inside_gid:0 outside_gid:100000 count:65536 newgidmap:true
newgidmap: write to gid_map failed: Operation not permitted
[E][2024-12-23T22:05:39+0200][1484771] gidMapExternal():199 '/nix/store/cmmm1g8d3nyib4h9sy3qf9kg2ljzr789-shadow-4.16.0/bin/newgidmap' failed
[E][2024-12-23T22:05:39+0200][1484771] initParent():437 Couldn't initialize user namespace for pid=1484772
[E][2024-12-23T22:05:39+0200][1484771] standaloneMode():275 Couldn't launch the child process
I’ve tried simply calling unshare
and newgidmap
from the command line, and it worked. But not from nsjail.
I also tried dropping the -U
and -G
options, and then I got a different permission error createDirRecursively():156 openat('5', 'root', O_DIRECTORY | O_CLOEXEC): Permission denied
.
What’s wrong here?