[UserNS] Networks && setgroups problems

[MorganeAubry]

Hi, I hope everyone's doing alright.
My container is already running as it should but it doesn't have network connection and it has a problem with setgroups.

Networks
I followed this : https://medium.com/@Mark.io/https-medium-com-mark-io-network-setup-with-runc-containers-46b5a9cc4c5b to be able to know how I was supposed to have a network connection running but. Everytime I tried to put the "path": "/var/run/netns/docker_network" bellow the "type": "network" in the namespace category, it gave me this error :
ERRO[0000] runc run failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/8, flags=MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted
And I also try to put the network in its own category but it doesn't work and I saw on some issue that it's depreciated. Any help would be really great.

Setgroups
I'm not sure if this one is linked to the network issue or not. But everytime that I try to do an apt update it tells me this :

E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
Reading package lists... Done
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (1: Operation not permitted)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)

So as before any help would be really great.

Here is the config file (it is a beta and it's currently use in a ansible role):

{
	"ociVersion": "1.2.1",
    "consoleSocket": "/run/console-sockets/{{container_name}}.sock",
	"annotations": {
    	"exposed_ports": "{{ df.EXPOSE | join(', ') }}"
  	},
	"process": {
		"terminal": false,
		"user": {
			"uid": 0,
			"gid": 0
		},
		"args": [
			"sh", "-c", "while true; do sleep 60; done"
		],
		"env": [
			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
			"TERM=xterm"
		],
		"cwd": "/root",
		"capabilities": {
			"bounding": [
				"CAP_AUDIT_WRITE",
				"CAP_KILL",
				"CAP_NET_BIND_SERVICE",
				"CAP_SYS_ADMIN"
			],
			"effective": [
				"CAP_AUDIT_WRITE",
				"CAP_KILL",
				"CAP_NET_BIND_SERVICE",
				"CAP_SYS_ADMIN"
			],
			"permitted": [
				"CAP_AUDIT_WRITE",
				"CAP_KILL",
				"CAP_NET_BIND_SERVICE",
				"CAP_SYS_ADMIN"
			]
		},
		"rlimits": [
			{
				"type": "RLIMIT_NOFILE",
				"hard": 1024,
				"soft": 1024
			}
		],
		"noNewPrivileges": false
	},
	"root": {
		"path": "rootfs",
		"readonly": false
	},
	"hostname": "{{container_name}}",
	"mounts": [
		{
			"destination": "/proc",
			"type": "proc",
			"source": "proc"
		},
		{
			"destination": "/dev",
			"type": "tmpfs",
			"source": "tmpfs",
			"options": [
				"nosuid",
				"strictatime",
				"mode=755",
				"size=65536k"
			]
		},
		{
			"destination": "/dev/pts",
			"type": "devpts",
			"source": "devpts",
			"options": [
				"nosuid",
				"noexec",
				"newinstance",
				"ptmxmode=0666",
				"mode=0620",
				"gid=5"
			]
		},
		{
			"destination": "/dev/shm",
			"type": "tmpfs",
			"source": "shm",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"mode=1777",
				"size=65536k"
			]
		},
		{
			"destination": "/dev/mqueue",
			"type": "mqueue",
			"source": "mqueue",
			"options": [
				"nosuid",
				"noexec",
				"nodev"
			]
		},
		{
			"destination": "/sys",
			"type": "sysfs",
			"source": "sysfs",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"ro"
			]
		},
		{
			"destination": "/sys/fs/cgroup",
			"type": "cgroup",
			"source": "cgroup",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"relatime",
				"ro"
			]
		}
	],
	"linux": {
		"seccomp": {
    		"defaultAction": "SCMP_ACT_ALLOW"
  		},
		"resources": {
			"devices": [
				{
					"allow": false,
					"access": "rwm"
				}
			],
            "cpu": {
                "shares": {{ choc_profiles[container_profile].cpu | int * 1024 }},
				"cpus": "0"
			},
            "memory": {
                "limit": 1073741824,  
                "swap": 1073741824   
            }
		},
		"namespaces": [
            {
                "type": "user"
            },
			{
				"type": "pid"
			},
			{
				"type": "network",
				"path": "/var/run/netns/docker_network"
			},
			{
				"type": "ipc"
			},
			{
				"type": "uts"
			},
			{
				"type": "mount"
			},
			{
				"type": "cgroup"
			}
		],
		"maskedPaths": [
			"/proc/acpi",
			"/proc/asound",
			"/proc/kcore",
			"/proc/keys",
			"/proc/latency_stats",
			"/proc/timer_list",
			"/proc/timer_stats",
			"/proc/sched_debug",
			"/sys/firmware",
			"/proc/scsi"
		],
		"readonlyPaths": [
			"/proc/bus",
			"/proc/fs",
			"/proc/irq",
			"/proc/sys",
			"/proc/sysrq-trigger"
		],
        "uidMappings": [
            {
            "containerID": 0,
            "hostID": 200000,
            "size": 1100
            }
        ],
        "gidMappings": [
            {
            "containerID": 0,
            "hostID": 200000,
            "size": 1100
            }
        ]
	}
}

I'm really sorry if this error already exist somewhere, I promess I searched with link word and I didn't find anything. Thank you very much for anyone that would have any information to get me out of this. Really appreciated !
Have a nice day !

[cyphar]

Things to try:

1. You need to have mappings at least 65535 in size for most distros to work properly. Apt tries to change to the nobody user which is 65535. If the IDs cannot be mapped you get ERANGE or EINVAL from a bunch of syscalls.
2. You need CAP_SETUID and CAP_SETGID for root to be able to change groups.

There is a setgroups deny system with somewhat complicated rules, but if you're using newgidmap or are root when creating your container (which is the case in your case) then setgroups will be enabled.

[MorganeAubry]

Thank you so much for your reply. Thanks to you and a little more research I've been able to pass through the error in apt update :

E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
__update stuff__
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_bookworm_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

And now I have something when I ping :

ping: connect: Network unreachable

Now I think the only error left is that I can't connect to the network. My guess is that it's because I didn't put the "path": "/var/run/netns/docker_network" line. But when I do it complains about the impossibility of mounting /sys because it doesn't have the right privileges. (And I try to do it myself also as root and it give the same error).
Again thank you for your reply, I'm really thankful that you help me get further !

[MorganeAubry]

Update :
If I delete the mount of sysfs, I can launch it with the "path": "/var/run/netns/docker_network". But when I try to ping it says :

ping: socktype: SOCK_RAW
ping: socket: Operation not permitted

I already tried to do this :

• sudo setcap cap_net_raw+p /var/lib/containerd/testchocnginx86/rootfs/bin/ping
• add the "CAP_NET_RAW" in capabilities

For now nothing worked