I am trying to setup unprivileged LXC containers as explained in Debian Wiki on a Jessie Debian physical server (4.9.135 kernel). Hence, I want to enable the userns namespace:
sysctl kernel.unprivileged_userns_clone=1
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
However, this kernel has been compiled with the user namespace support, as shown in:
zgrep CONFIG_USER /proc/config.gz
CONFIG_USER_NS=y
I have run lxc-checkconfig which shows enabled for every items except checkpoint restore: missing which does not seem to be user namespace related:
--- Namespaces ---
User namespace: enabled
--- Checkpoint/Restore ---
checkpoint restore: missing
Googling around does not help much understanding this error... Can anyone help me solving this issue? Do not hesitate to ask for any information which may be missing...
The sysctl mentioned in the Debian wiki does not exist in the Linux kernel.
It is provided in a Debian-maintained patch in Debian kernels for the express purpose of disabling user namespaces until they are explicitly enabled by setting the sysctl.
This Debian-specific patch has been refused by the Linux kernel developers.
Because you are not using a Debian provided kernel, user namespaces are always enabled and you do not need to set a sysctl to turn them on. You can simply skip this step.
For checkpoint/restore, install criu and run
criu check. It will tell you what, if anything, is still missing.