I use isolate , an isolator to isolate the execution of another program using Linux containers. It is very convenient and works well locally on my computer (I can launch fork bombs and endless loops, and this protects everything).
Now I'm trying to get this to work on the Ubuntu 12.04 server that I have, but I'm having difficulty with this. This is also a fresh server.
When I run:
sudo isolate --run -- mycommand
( mycommandUsually I try python3or something else), I get:
clone: Operation not permitted
So, I dug up the clone function (called so in isolate.c):
box_pid = clone(
box_inside,
argv,
SIGCHLD | CLONE_NEWIPC | CLONE_NEWNET | CLONE_NEWNS | CLONE_NEWPID,
argv);
if (box_pid < 0)
die("clone: %m");
if (!box_pid)
die("clone returned 0");
box_keeper();
Here's the return value of the function clone:
. -1 , , errno .
, :
EPERM (POSIX.1)
:
EPERM CLONE_NEWNS - ( CAP_SYS_ADMIN).
clone CLONE_NEWNS . , clone: Operation not permitted.
, , , , root, root ( sudo), sudoers, , . , - , isolate, .
isolate /usr/bin ./isolate .