Can't exec into a container with private time namespace #4635
Labels
Comments
lifubang
added a commit
to lifubang/runc
that referenced
this issue
Feb 19, 2025
We should configure the process's timens offset only when we need to create new time namespace, we shouldn't do it if we are joining an existing time namespace. (opencontainers#4635) Signed-off-by: lfbzhm <lifubang@acmcoder.com>
lifubang
added a commit
to lifubang/runc
that referenced
this issue
Feb 22, 2025
We should configure the process's timens offset only when we need to create new time namespace, we shouldn't do it if we are joining an existing time namespace. (opencontainers#4635) Signed-off-by: lifubang <lifubang@acmcoder.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Description
When we exec into a container with a private time namespace, it will get an error.
Steps to reproduce the issue
Describe the results you received and expected
@lifubang ➜ ~/ubuntu $ sudo ./runc.amd64 run -d test
@lifubang ➜ ~/ubuntu $ sudo ./runc.amd64 exec test true
FATA[0000] nsexec-0[10598]: failed to update /proc/10599/timens_offsets: Permission denied
FATA[0000] nsexec-1[10599]: failed to sync with parent: read(SYNC_TIMEOFFSETS_ACK): Success
ERRO[0000] exec failed: unable to start container process: error executing setns process: exit status 1
What version of runc are you using?
runc version 1.2.5
commit: v1.2.5-0-g59923ef1
spec: 1.2.0
go: go1.22.12
libseccomp: 2.5.5
Host OS information
No response
Host kernel information
No response
The text was updated successfully, but these errors were encountered: