I'm trying to figure out how to enable user namespaces capability in my kernel (I think CAP_SYS_USER_NS). I'm using Debian Stretch, kernel 4.6.0-1-amd64.
My assumption is there is a way to turn on user namespaces and recompile the kernel. After some hours searching, I can find a post of doing this in Ubuntu (https://blog.tutum.co/2013/12/14/enabling-the-user-namespace-in-ubuntu-13-10-saucy/) but not Debian (problem may be I'm on the wrong track and so my searches are off base).
My end game is to enable these in order to keep up with Docker and Google sandboxing which apparently require user namespaces to be enabled in the kernel (e.g., my Chrome containers no longer work).
Best Answer
On Debian the ability to create or handle user namespaces from a non-privileged process (usually meaning non-root user) is disabled by default. There's a Debian-specific patch (from Ubuntu) to the kernel that adds the sysctl knob
kernel.unprivileged_userns_clone
(with a default value of 0 meaning disabled).To enable it (until next reboot),
For a permanent configuration, you can add a new entry in
/etc/sysctl.d
to enable the feature at boot:This patch predates (by three years) the sysctl
user.max_user_namespaces
(initiallyuserns.max_user_namespaces
) which can be set to 0 to achieve the same result. It was probably kept around for (Debian) compatibility reasons: expecting the feature disabled by default.From the initial commit message, it was created (in 2013) as a temporary measure when there were some doubts about the security implications related to using user namespaces: