Configure sysctl

Debian, Arch, and RHEL/CentOS 7 are known to require reconfiguration of sysctl to enable User Namespaces.

Note

These steps are not needed for Ubuntu.

Create /etc/sysctl.d/99-rootless.conf with the following content:

kernel.unprivileged_userns_clone=1

And then run the following command to reload the new sysctl configuration:

$ sudo sysctl --system

Optional: To enable overlay filesystem, create /etc/modprobe.d/overlay.conf with the following content, and then reboot.

options overlay permit_mounts_in_userns=1

Create /etc/sysctl.d/99-rootless.conf with the following content:

kernel.unprivileged_userns_clone=1

Then run the following command to reload the new sysctl configuration:

$ sudo sysctl --system

Note

These steps are not needed for RHEL/CentOS 8.

Create /etc/sysctl.d/99-rootless.conf with the following content:

user.max_user_namespaces=28633

Then run the following command to reload the new sysctl configuration:

$ sudo sysctl --system

[Optional] allowing ping

Most distributions do not allow non-root users cannot send ICMP Echo Request packets (aka ping) by default.

To allow running ping without root, create /etc/sysctl.d/99-rootless.conf with the following content:

net.ipv4.ping_group_range = 0 2147483647

Then run the following command to reload the new sysctl configuration:

$ sudo sysctl --system

[Optional] allowing listening on TCP & UDP ports below 1024

Most distributions do not allow non-root users to listen on TCP & UDP ports below 1024. e.g. listening on 80/tcp would fail with “permission denied”, while listening on 8080/tcp would success.

To allow listening on any port without root, create /etc/sysctl.d/99-rootless.conf with the following content:

net.ipv4.ip_unprivileged_port_start=0

Then run the following command to reload the new sysctl configuration:

$ sudo sysctl --system