diff mbox

add support hints to test-container

Message ID xna7o5l1da.fsf@greed.delorie.com
State New, archived
Headers

Commit Message

DJ Delorie Sept. 25, 2018, 9:21 p.m. UTC 
  First set of hints to users as to why test-container might not work,
as some distros default their user namespace policies in ways that
preclude our usage.  Ok?

	* support/test-container.c (check_for_unshare_hints): New.
	(main): If unshare fails, check for hints.

Comments

Florian Weimer Sept. 26, 2018, 8:23 a.m. UTC | #1 
* DJ Delorie:


> diff --git a/support/test-container.c b/support/test-container.c
> index c56b53ed81..0f4362373b 100644
> --- a/support/test-container.c
> +++ b/support/test-container.c
> @@ -609,6 +609,47 @@ rsync (char *src, char *dest, int and_delete)
>  }
>  
>  
> +
> +/* See if we can detect what the user needs to do to get unshare
> +   support working for us.  */
> +void
> +check_for_unshare_hints (void)
> +{
> +  FILE *f;
> +  int i;
> +
> +  /* Default Debian Linux disables user namespaces, but allows a way
> +     to enable them.  */
> +  f = fopen ("/proc/sys/kernel/unprivileged_userns_clone", "r");
> +  if (f)

No implicit NULL check, please.

> @@ -873,7 +914,11 @@ main (int argc, char **argv)
>        /* Older kernels may not support all the options, or security
>  	 policy may block this call.  */
>        if (errno == EINVAL || errno == EPERM)
> -	FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
> +	{
> +	  if (errno == EPERM)
> +	    check_for_unshare_hints ();
> +	  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
> +	}

errno has been clobbered at this point.  You need to save its value
before calling check_for_unshare_hints.

Thanks,
Florian
diff mbox

Patch

diff --git a/support/test-container.c b/support/test-container.c
index c56b53ed81..0f4362373b 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -609,6 +609,47 @@  rsync (char *src, char *dest, int and_delete)
 }
 
 
+
+/* See if we can detect what the user needs to do to get unshare
+   support working for us.  */
+void
+check_for_unshare_hints (void)
+{
+  FILE *f;
+  int i;
+
+  /* Default Debian Linux disables user namespaces, but allows a way
+     to enable them.  */
+  f = fopen ("/proc/sys/kernel/unprivileged_userns_clone", "r");
+  if (f)
+    {
+      i = 99; /* Sentinel.  */
+      fscanf (f, "%d", &i);
+      if (i == 0)
+	{
+	  printf ("To enable test-container, please run this as root:\n");
+	  printf ("  echo 1 > /proc/sys/kernel/unprivileged_userns_clone\n");
+	}
+      fclose (f);
+      return;
+    }
+
+  /* ALT Linux has an alternate way of doing the same.  */
+  f = fopen ("/proc/sys/kernel/userns_restrict", "r");
+  if (f)
+    {
+      i = 99; /* Sentinel.  */
+      fscanf (f, "%d", &i);
+      if (i == 1)
+	{
+	  printf ("To enable test-container, please run this as root:\n");
+	  printf ("  echo 0 > /proc/sys/kernel/userns_restrict\n");
+	}
+      fclose (f);
+      return;
+    }
+}
+
 int
 main (int argc, char **argv)
 {
@@ -873,7 +914,11 @@  main (int argc, char **argv)
       /* Older kernels may not support all the options, or security
 	 policy may block this call.  */
       if (errno == EINVAL || errno == EPERM)
-	FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
+	{
+	  if (errno == EPERM)
+	    check_for_unshare_hints ();
+	  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
+	}
       else
 	FAIL_EXIT1 ("unable to unshare user/fs: %s", strerror (errno));
     }