-
-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Systemd user service does not work unmodified on Ubuntu 18.04 (5.3 kernel) #41
Comments
Hi, I will take a look. I will admit I only tested the unit on modern distributions 😞 .
Some systems also limits the maximum number of user namespaces ( |
I did a few tests and there are also a some limitations around capabilities on Ubuntu 18.04. Would you mind testing with the following unit?
|
Works for me 😃 |
Does the workaround drop important protections or should we just change the unit in |
Sorry for the confusion. Looks like the unit file LeSuisse gave stopped working for me after some reboots. |
Some of the isolations in there require user namespaces. From https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing:
User namespaces seem to be disabled on most Debian and some Ubuntu systems. I consider these isolations useful enough to keep them enabled by default. According to https://superuser.com/a/1122977), it should be possible to enable user namespace support on these distros too. It's probably sufficient to add a note to that into the manual installation section - I'd assume Debian & co. will provide their own, less-isolated systemd units in their packages sooner or later anyways. |
@mahiuchun Do you have more details? What was the output of Yep some of the sandboxing instructions are not available when running the service at the user level. I left the instructions anyway if someone wants to run the unit with the global service manager. Ultimately this is only an issue until packages are published to hide this complexity. Maybe until then, adding a section in the manual with a more universal unit without any sandboxing for people running an Ubuntu 18.04 or older would be enough? |
There's now a note in the instructions 👍 |
Thanks for building this. With the systemd config as given I hit errors like the following
and I ended up removing lots of flags in the service section:
I know it is a great idea to use as little privilege as possible. OTOH, since kernels shipped by Ubuntu might not work well with such settings yet, it would be nice if we could provide a little more information to the users.
Reference: https://unix.stackexchange.com/questions/303213/how-to-enable-user-namespaces-in-the-kernel-for-unprivileged-unshare
BTW,
sysctl
settings likedoes not make it work for me 😞
The text was updated successfully, but these errors were encountered: