问题描述

我正在使用 isolate，这是一个隔离器，用于隔离另一个使用 Linux 容器的程序的执行.它非常方便，并且在我的计算机本地运行良好(我可以运行 fork 炸弹和无限循环，它可以保护一切).

I am using isolate, an isolator to isolate the execution of another program using Linux Containers. It's very handy and it works very well locally on my computer (I can run fork bombs and infinite loops and it protects everything).

现在，我正在尝试使其在我拥有的Ubuntu 12.04服务器上工作，但是我遇到了一些困难.这也是一台全新的服务器.

Now I'm trying to get this to work on an Ubuntu 12.04 server I have, but I'm having some difficulties with it. It's a fresh server too.

当我跑步时:

sudoisolate --run --mycommand

( mycommand ，我通常尝试使用 python3 之类的东西)，我得到:

(mycommand I usually try python3 or something), I get:

克隆:不允许操作

所以，我研究了克隆函数(在 isolate.c 中这样称呼):

So, I dug up on the clone function (called like this in isolate.c):

box_pid = clone(
  box_inside,           // Function to execute as the body of the new process
  argv,         // Pass our stack
  SIGCHLD | CLONE_NEWIPC | CLONE_NEWNET | CLONE_NEWNS | CLONE_NEWPID,
  argv);            // Pass the arguments
if (box_pid < 0)
  die("clone: %m");
if (!box_pid)
  die("clone returned 0");
box_keeper();

这是函数 clone 的返回值:

这是我得到的错误:

然后我也发现了这一点

clone 函数确实传递了 CLONE_NEWNS 在新的命名空间中运行该程序.我实际上尝试删除，但一直得到 clone:不允许操作.

The clone function is indeed passing CLONE_NEWNS to run the program in a new namespace. I actually tried removing but I keep getting clone: Operation not permitted.

因此，这似乎都表明没有root特权，但实际上我以 root 的身份运行了该命令(请确保使用和不使用 sudo )，以及sudoers组中的普通用户.这些都不起作用，但是在本地效果很好.根特权可用于其他所有功能，但是由于某些原因，当我运行此 isolate 程序时，它不起作用.

So, it all seems to point out to not having root privileges, but I actually ran the command as root (with and without sudo just to be sure), and also with a normal user in the sudoers group. None of that worked, but it works very well locally. Root privileges work for everything else but for some reason when I run this isolate program, it doesn't work.

我尝试在/usr/bin 中使用 isolate 并在本地文件夹中也运行了 ./isolate .

I tried both with isolate in /usr/bin and running ./isolate in a local folder too.

推荐答案

我遇到了这个问题，因为我试图在docker容器中使用隔离.

I had this issue because I was trying to use isolate within a docker container.

使用-privileged 标志运行容器对我来说是固定的.

Rerunning the container with the --privileged flag fixed it for me.

这篇关于克隆:不允许操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！