Are you sure your uid/gid are both 1000?

$ cat issue10626.go
package main

import (
"log"
"os"
"os/exec"
"syscall"
)

func main() {
cmd := exec.Command(os.Args[1], os.Args[2:]...)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
cmd.Stdin = os.Stdin
cmd.SysProcAttr = &syscall.SysProcAttr{}
cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWUSER
cmd.SysProcAttr.UidMappings = []syscall.SysProcIDMap{
{ContainerID: 0, HostID: syscall.Getuid(), Size: 1},
}
cmd.SysProcAttr.GidMappings = []syscall.SysProcIDMap{
{ContainerID: 0, HostID: syscall.Getgid(), Size: 1},
}
if err := cmd.Run(); err != nil {
log.Fatal(err)
}
}
$ go build issue10626.go
$ ./issue10626 /bin/bash

id

uid=0(root) gid=0(root) groups=0(root),65534(nobody)

@minux Yeah, I'm changed code as you suggested(Getuid/Getgid), result is same. What kernel do you use?

Actually, since 3.19 kernel code from forkAndExecInChild can't work with writing map_gid because of /proc/self/setgroups. You can find reference in newest man user_namespace. But I can't reach even that point :(

I am seeing the same issue as @LK4D4 (on 3.19.4) and I am thinking that this might be probably related to the setgroups code torvalds/linux@9cc4651

@LK4D4 yes, at minimum the go code has to add to check for the presence of setgroups and write deny into it.

@mrunalp Actually I tried to insert setgroups code to syscall/exec_linux.go and get permission denied on writing there. Also, C code without setgroups failing on gid_map, not uid_map.
But still very possible that related, because seems like it broken since 3.19.

Also I tried to reimplement this with unshare. I used unshare hack from #10051 (comment) and /proc/self/setgroups was writable! But uid_map still wasn't.

It would be nice to fix this problem, but I don't understand what is causing it. Can somebody running kernel 3.19 or later figure this out? For example, if somebody can demonstrate a working C program, we may be able to modify the syscall package in the same way.

@ianlancetaylor There is working C program in http://man7.org/linux/man-pages/man7/user_namespaces.7.html
But as I see we doing exactly the same apart from setgroups. I'll try to bisect kernel to find which commit brought this problem.

Thanks. It seems clear from the man page that we must write "deny" to /proc/PID/setgroups before writing to /proc/PID/gid_map. That seems consistent with the problem in the initial issue report. But I see your earlier comment that when you tried that, it failed. Can you share the patch that you tried?

@ianlancetaylor Yup, in 30 minutes.

@ianlancetaylor Hmm, sorry for confusion. It works for me now, maybe I did something wrong first time or maybe I updated kernel(now I use 4.0.4 and there was a lot of changes in 4.0.2).
Will it be ok to send this patch https://gist.github.com/anonymous/4a12b43dbce0007bfbef to golang now?

CL https://golang.org/cl/10670 mentions this issue.

The fix for this seems to have broken the syscall test on my machine.

$ go test syscall
--- FAIL: TestCloneNEWUSERAndRemapNoRootDisableSetgroups-4 (0.00s)
    exec_linux_test.go:42: Cmd failed with err fork/exec /usr/bin/whoami: operation not permitted, output: 
FAIL
FAIL    syscall 0.029s
$ uname -a
Linux austin-glaptop 3.13.0-52-generic #86-Ubuntu SMP Mon May 4 04:32:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
$ id
uid=12166(austin) gid=5000(eng) groups=5000(eng),...

Interesting. It fails on my system too. The test successfully opens /proc/PID/setgroups and writes "deny" to it. It then successfully opens /proc/PID/gid_map. However, the attempt to write to gid_map fails with EPERM.

Sent http://golang.org/cl/11055 .

Hi @LK4D4
for your comment:

Hi @LK4D4
for your comment:
@ianlancetaylor There is working C program in http://man7.org/linux/man-pages/man7/user_namespaces.7.html
But as I see we doing exactly the same apart from setgroups. I'll try to bisect kernel to find which commit brought this problem.

For your above comments,
I did not find it can work

Linux 3.19.0-30-generic
ubuntu@testtmp:$ id -u
1000
ubuntu@testtmp:$ id -g
1000
ubuntu@testtmp:$ ./userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash
ERROR: write /proc/5629/gid_map: Operation not permitted
About to exec bash
ubuntu@testtmp:$ root@testtmp:~#

Did you get that work in your env ?

@HackToday yeah, it should work with latest go versions.

@LK4D4 I tried the c program, it not worked, That was the guide issue, as said need to add
You must first be denied by writing "deny" to the /proc/[pid]/setgroups

And besides, I noticed, even I added this, the example in
http://manpages.ubuntu.com/manpages/wily/man7/user_namespaces.7.html

it would not have this result:
bash$cat /proc/$$/status | egrep '^[UG]id'
Uid: 0 0 0 0
Gid: 0 0 0 0
bash$ cat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'
CapInh: 0000000000000000
CapPrm: 0000001fffffffff
CapEff: 0000001fffffffff

The result is as this

#cat /proc/$$/status | egrep '^[UG]id'
Uid: 65534 65534 65534 65534
Gid: 65534 65534 65534 65534
root@dockerexper:~# cat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff

Do you know why it is not mapped ?