CC @LK4D4

Output for command:
$ strace -f go test syscall -test.run=TestCloneNEWUSERAndRemapNoRootDisableSetgroups

strace.txt

The test passes now, after I changed some kernel settings:

# grubby --args="namespace.unpriv_enable=1 user_namespace.enable=1" --update-kernel="/boot/vmlinuz-3.10.0-862.6.3.el7.x86_64"

# echo "user.max_user_namespaces=15076" >> /etc/sysctl.conf

But it was completely uninformed!
Just following generic recipes from web.

On some other Issue, someone asked to run 'unshare' command.
In my case, the error message is "Invalid Argument".
(the same message on failed test)

$ unshare -Ur
unshare: unshare failed: Invalid argument

I just realized there was previous Issues about this ... sorry for duplication:

https://go-review.googlesource.com/c/go/+/49311

I don't have this directory:

/sys/module/user_namespace/parameters/enable

Should function checkUserNS(...) skip if file not found ?
It actually just skips if file is found and do not have value 'Y'.

I don't think we should unconditionally skip the test if the file does not exist, as my system doesn't have that file either. It sounds like some CentOS 7 systems have that file and some do not, but I don't know what that would be.

It looks like now CentOS 7 has unprivileged namespaces disabled by default with kernel parameter.
The thing to check would be if it is CentOS 7 and there is namespace.unpriv_enable=1 in /proc/cmdline, but it's not the first time we add band-aid for CentOS 7. Maybe it's easier just to add some comment to file like "Please find how to enable unprivileged namespaces for your distribution if you want these tests to work properly".

Is there some way we can detect CentOS and just skip the test? Perhaps look in /etc/lsb-release?

Maybe it's easier just to add some comment to file like "Please find how to enable unprivileged namespaces for your distribution if you want these tests to work properly".

In general the tests have to pass for users who don't understand what the code does. So while that would be easier for us, it would just be mystifying for most people installing Go. If the test can't reliably pass, we have to just skip it.

@ianlancetaylor Yeah, apparently all centos releases have /etc/centos-release file, maybe we can just check its presence

In general the tests have to pass for users who don't understand what the code does.

It's me :)

... maybe we can just check its presence

Can I have a try on the fix ?
(check /etc/centos-release presence)

If you feel more confortable I can give a try testing on rhel7.5, before making any decision.

@EduRam Sure, send a fix, if you can do it very soon for the 1.11 release. Thanks.

Change https://golang.org/cl/124555 mentions this issue: syscall: update check for UserNS support for CentOS 7.5+

I think I have found the root cause of the problem.

I had no problems executing the syscall package tests after running the command:

$ sudo sysctl user.max_user_namespaces=15000
$ cat /proc/sys/user/max_user_namespaces
15000

By default that variable is 0, and the tests failed.

$ cat /proc/sys/user/max_user_namespaces
0

My submitted fix will not check the existence of file "/etc/centos-release" as suggested.
Instead it will read the value from "/proc/sys/user/max_user_namespaces", and skip tests if equals to 0.

Could this also be ok ?