A script generates error : cgroups

system_ky.go:154 cannot determine cgroup version

thanks in advance for the help…

oh, and it needs 3 files to run it

sudo apt install xnest sudo apt install twm sudo apt install iptables

#!/bin/sh

A demo of Linux namespace to sandbox firefox

set -e

echo “[+] Check dependencies” for i in twm firefox Xnest; do which $i done

ext_if=$(ip route get 8.8.8.8 | grep ‘dev’ | awk ‘{ print $5 }’) function finish() { echo “[+] Cleaning…” sudo ip netns delete firefox sudo iptables -D POSTROUTING -t nat -s 192.168.50.2/32 -o ${ext_if} -j MASQUERADE sudo iptables -D FORWARD -i firefox0 -o ${ext_if} -j ACCEPT sudo iptables -D FORWARD -i ${ext_if} -o firefox0 -j ACCEPT killall Xnest }

trap finish EXIT

echo “[+] Network namespace”

create a new namespace

sudo ip netns add firefox

configure loopback

sudo ip netns exec firefox ip addr add 127.0.0.1/8 dev lo sudo ip netns exec firefox ip link set lo up

create a device pairs

sudo ip link add firefox0 type veth peer name firefox1

initiate the host side

sudo ip link set firefox0 up

initiate the container side

sudo ip link set firefox1 netns firefox up

sudo ip addr add 192.168.50.1/24 dev firefox0

sudo ip netns exec firefox ip addr add 192.168.50.2/24 dev firefox1 sudo ip netns exec firefox ip route add default via 192.168.50.1 dev firefox1

configure dedicated resolv.conf

[ -d “/etc/netns/firefox” ] || sudo mkdir -p /etc/netns/firefox echo nameserver 8.8.8.8 | sudo tee /etc/netns/firefox/resolv.conf

enable routing

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward sudo iptables -A POSTROUTING -t nat -s 192.168.50.2/32 -o ${ext_if} -j MASQUERADE sudo iptables -A FORWARD -i firefox0 -o ${ext_if} -j ACCEPT sudo iptables -A FORWARD -i ${ext_if} -o firefox0 -j ACCEPT

echo “[+] Filesystem preps” if [ ! -d “/home/sandbox/${USER}” ]; then sudo mkdir -p /home/sandbox/${USER} sudo chown ${USER} /home/sandbox/${USER} chmod 0700 /home/sandbox/${USER} fi if [ ! -d “/tmp/sandbox” ]; then mkdir -m 01777 /tmp/sandbox mkdir /tmp/sandbox/.X11-unix /var/tmp/.X11-unix fi

echo “[+] Xnest” echo -n > /home/sandbox/${USER}/.Xauthority xauth -f /home/sandbox/${USER}/.Xauthority add :4 . $(mcookie) Xnest -auth /home/sandbox/${USER}/.Xauthority :4 & sleep 1 sudo ip netns exec firefox unshare -m -u -i -p --mount-proc=/proc -f bash -c " echo ‘[-] /dev’ mount -t tmpfs -o mode=0755 none /dev mkdir /dev/shm

mknod -m 0622 /dev/console c 5 1 mknod -m 0666 /dev/null c 1 3 mknod -m 0666 /dev/zero c 1 5 mknod -m 0444 /dev/random c 1 8 mknod -m 0444 /dev/urandom c 1 9

ln -s /proc/self/fd /dev/fd ln -s /proc/self/fd/0 /dev/stdin ln -s /proc/self/fd/1 /dev/stdout ln -s /proc/self/fd/2 /dev/stderr

echo ‘[-] /home’ mount -o bind /home/sandbox /home

echo ‘[-] /tmp’ mount -o bind /tmp/.X11-unix /var/tmp/.X11-unix mount -o bind /tmp/sandbox /tmp mount -o bind /var/tmp/.X11-unix /tmp/.X11-unix

echo ‘[-] /var/log’ mount -t tmpfs none /var/log

echo ‘[-] /sys’ mount -t tmpfs none /sys

echo ‘[-] test shell’ echo ‘use DISPLAY=:4 XAUTHORITY=${HOME}/.Xauthority xeyes’ env - su -l ${SUDO_USER} -s /bin/sh echo ‘[-] init…’ exec env - su -l ${SUDO_USER} -s /bin/sh -c ‘export DISPLAY=:4; export XAUTHORITY=${HOME}/.Xauthority; twm & firefox’ "

https://bpa.st/MHMQ << this is the actual script with run directions

when its running this needs to be typed in at the # prompt

export DISPLAY=:4; export XAUTHORITY=${HOME}/.Xauthority; twm & firefox

I just figured out its a problem with systemd and is going to be fixed in the next version (well a similar error) https://github.com/containers/podman/issues/7562 , it would be too dangerous to install updated systemd, is this to be fixed in the next version of Ubuntu?

Issue 7562 in containers/podman “rootless podman containers Error: unable to obtain cgroup stats:” [Closed]

I think you’re in the wrong place. This forum is specifically for the Snap Package ecosystem - i.e. the Snap Store, and Snapcraft. Ubuntu issues should go to launchpad.net or discourse.ubuntu.com.

Its caused by the snap package confinement…

the error shown there is the same issue, for a different product…

anyways thanks its going to be fixed upstream , just might take a long time …