runc: setns(CLONE_NEWIPC) fails on Ubuntu kernel

Reported by @eriegger in docker/docker#29794.

runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
Kernel Version: 4.4.0-70-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64

They gave us an strace log. But the key point is this:

[pid 26452] open("/proc/8391/ns/ipc", O_RDONLY) = 8
[pid 26452] open("/proc/8391/ns/uts", O_RDONLY) = 9
[pid 26452] open("/proc/8391/ns/net", O_RDONLY) = 10
[pid 26452] open("/proc/8391/ns/pid", O_RDONLY) = 11
[pid 26452] open("/proc/8391/ns/mnt", O_RDONLY) = 12
[pid 26452] setns(8, CLONE_NEWIPC)      = -1 EINVAL (Invalid argument)

Does anyone know if Ubuntu broke IPC namespaces somehow? As far as I can see, the only straightforward paths in sys_setns that could give you EINVAL is if the fd is not an nsfs handle or doesn’t match the nstype – which we can’t possibly be hitting because we explicitly opened the fd ourselves.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 24 (14 by maintainers)

Most upvoted comments

Thanks both for checking 🤗

+1
thaJeztah on Apr 6, 2017

Yeah, I checked out the Ubuntu kernel source and couldn’t find any obvious extra code in the setns installation code for CLONE_NEWIPC.

+1
cyphar on Apr 4, 2017

At a glance I didn’t find any extra patches that would obviously be responsible. I’ll try to find some time to look closer in the next few days.

+1
sforshee on Apr 4, 2017
Read more comments on GitHub
← runc: Runc init process step on DISK Sleep Status When freezen cgroup
runc: starting container process caused 'process_linux.go:245: running exec setns process for init caused "exit status 6"' →