On RHEL 7.4 this usernamepsace test fails with an error from runc "exit status 40". It looks like the setns process just fails for some reason.
The CI machine does have user namespace enabled and /proc/sys/user/max_user_namespaces set to a high number.
Might be completely unrelated, but one thing I noticed is on RHEL if I unshare -rm I get EPERM... or unshare -r && unshare -m also EPERM. This seems to work just fine on other kernels.
Details
21:07:06 ----------------------------------------------------------------------
21:07:06 FAIL: docker_cli_userns_test.go:24: DockerDaemonSuite.TestDaemonUserNamespaceRootSetting
21:07:06
21:07:06 [d181ed338bc75] waiting for daemon to start
21:07:06 [d181ed338bc75] daemon started
21:07:06
21:07:06 docker_cli_userns_test.go:50:
21:07:06 c.Assert(err, checker.IsNil, check.Commentf("Output: %s", out))
21:07:06 ... value *exec.ExitError = &exec.ExitError{ProcessState:(*os.ProcessState)(0xc422049360), Stderr:[]uint8(nil)} ("exit status 125")
21:07:06 ... Output: 6601d2350aa7aecbcaa27a4cf2b47d76872c01bccd81aca2ce47370f021a43c0
21:07:06 /usr/local/bin/docker: Error response from daemon: OCI runtime create failed: container_linux.go:295: starting container process caused "process_linux.go:302: running exec setns process for init caused \"exit status 40\"": unknown.
21:07:06
21:07:06
21:07:06 [d181ed338bc75] exiting daemon
21:07:08
21:07:08 ----------------------------------------------------------------------
On RHEL 7.4 this usernamepsace test fails with an error from runc "exit status 40". It looks like the setns process just fails for some reason.
The CI machine does have user namespace enabled and /proc/sys/user/max_user_namespaces set to a high number.
Might be completely unrelated, but one thing I noticed is on RHEL if I
unshare -rmI get EPERM... orunshare -r && unshare -malso EPERM. This seems to work just fine on other kernels.Details