To better understand why the warnings & why the solutions, it is recommended to read:
Check
!#Check if it's enabled at Kernel Level
sysctl -n user.max_user_namespaces
#This will print a number
#if it doesn't or it's user.max_user_namespaces = 0, then it's disabled
!#Check if it's enabled/restricted Using unshare : https://man7.org/linux/man-pages/man1/unshare.1.html
unshare --user echo "Username namespaces supported"
#If Suporrted: Username namespaces supported
#If Not: unshare: unshare(0x10000000): Operation not permitted
!#Check if AppArmor|SeLinux is stopping us
sudo dmesg | grep -E '(selinux|apparmor|security)'
#Look for lines containing words like denied, disallowing etc
Errors & Solutions
[WARN] Your kernel does not support user namespaces
!#Because /proc/self/ns/user on your System, doesn't exist
1. You need to install SUID Bubblewrap into the system
#For RunImage, this solution will work, but for others, refer to others.
# wget "https://bin.pkgforge.dev/$(uname -m)/bwrap" -O "/tmp/bwrap"
# sudo cp -f "/tmp/bwrap" "/usr/bin/bwrap" && sudo chmod u+s "/usr/bin/bwrap"
2. You need to run some Packages (that require usernamespace) as ROOT [NOT RECOMMENDED & DANGEROUS]
3. Install a Kernel with user namespaces support like XanMod kernel -> https://xanmod.org
[WARN] You mustEnableunprivileged_userns_clone
!#Because /proc/sys/kernel/unprivileged_userns_clone == 0
❯ Enable unprivileged_userns_clone
echo "kernel.unprivileged_userns_clone=1" | sudo tee "/etc/sysctl.d/98-unprivileged-userns-clone.conf"
echo "1" | sudo tee "/proc/sys/kernel/unprivileged_userns_clone"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot
[WARN] You mustEnablemax_user_namespaces
!#Because /proc/sys/user/max_user_namespaces == 0
❯ Enable max_user_namespaces
echo "user.max_user_namespaces=10000" | sudo tee "/etc/sysctl.d/98-max-user-namespaces.conf"
echo "100000" | sudo tee "/proc/sys/user/max_user_namespaces"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot
[WARN] You mustDisableuserns_restrict
!#Because /proc/sys/kernel/userns_restrict == 1
❯ Disable userns_restrict
echo "kernel.userns_restrict=0" | sudo tee "/etc/sysctl.d/98-userns.conf"
echo "0" | sudo tee "/proc/sys/kernel/userns_restrict"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot
[WARN] You mustDisableapparmor_restrict_unprivileged_userns
!#Because /proc/sys/kernel/apparmor_restrict_unprivileged_userns == 1
❯ Disable apparmor_restrict_unprivileged_userns
echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee "/etc/sysctl.d/98-apparmor-unuserns.conf"
echo "0" | sudo tee "/proc/sys/kernel/apparmor_restrict_unprivileged_userns"
sudo service procps restart
sudo sysctl -p "/etc/sysctl.conf"
#Reboot
Examples
Chrome/Chromium
#In Address Bar
chrome://sandbox
Other Apps
#APP_NAME == pkg or the actual binary, & remember to keep the APP RUNNING
lsns -t user -t pid -t net | grep -i "${APP_NAME}"
#Example: lsns -t user -t pid -t net | grep -i "firefox"
#If you get no output, it means it's not enabled/working/supported
Otherwise You will get something like:
