add support hints to test-container
Commit Message
First set of hints to users as to why test-container might not work,
as some distros default their user namespace policies in ways that
preclude our usage. Ok?
* support/test-container.c (check_for_unshare_hints): New.
(main): If unshare fails, check for hints.
Comments
* DJ Delorie:
> diff --git a/support/test-container.c b/support/test-container.c
> index c56b53ed81..0f4362373b 100644
> --- a/support/test-container.c
> +++ b/support/test-container.c
> @@ -609,6 +609,47 @@ rsync (char *src, char *dest, int and_delete)
> }
>
>
> +
> +/* See if we can detect what the user needs to do to get unshare
> + support working for us. */
> +void
> +check_for_unshare_hints (void)
> +{
> + FILE *f;
> + int i;
> +
> + /* Default Debian Linux disables user namespaces, but allows a way
> + to enable them. */
> + f = fopen ("/proc/sys/kernel/unprivileged_userns_clone", "r");
> + if (f)
No implicit NULL check, please.
> @@ -873,7 +914,11 @@ main (int argc, char **argv)
> /* Older kernels may not support all the options, or security
> policy may block this call. */
> if (errno == EINVAL || errno == EPERM)
> - FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
> + {
> + if (errno == EPERM)
> + check_for_unshare_hints ();
> + FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
> + }
errno has been clobbered at this point. You need to save its value
before calling check_for_unshare_hints.
Thanks,
Florian
@@ -609,6 +609,47 @@ rsync (char *src, char *dest, int and_delete)
}
+
+/* See if we can detect what the user needs to do to get unshare
+ support working for us. */
+void
+check_for_unshare_hints (void)
+{
+ FILE *f;
+ int i;
+
+ /* Default Debian Linux disables user namespaces, but allows a way
+ to enable them. */
+ f = fopen ("/proc/sys/kernel/unprivileged_userns_clone", "r");
+ if (f)
+ {
+ i = 99; /* Sentinel. */
+ fscanf (f, "%d", &i);
+ if (i == 0)
+ {
+ printf ("To enable test-container, please run this as root:\n");
+ printf (" echo 1 > /proc/sys/kernel/unprivileged_userns_clone\n");
+ }
+ fclose (f);
+ return;
+ }
+
+ /* ALT Linux has an alternate way of doing the same. */
+ f = fopen ("/proc/sys/kernel/userns_restrict", "r");
+ if (f)
+ {
+ i = 99; /* Sentinel. */
+ fscanf (f, "%d", &i);
+ if (i == 1)
+ {
+ printf ("To enable test-container, please run this as root:\n");
+ printf (" echo 0 > /proc/sys/kernel/userns_restrict\n");
+ }
+ fclose (f);
+ return;
+ }
+}
+
int
main (int argc, char **argv)
{
@@ -873,7 +914,11 @@ main (int argc, char **argv)
/* Older kernels may not support all the options, or security
policy may block this call. */
if (errno == EINVAL || errno == EPERM)
- FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
+ {
+ if (errno == EPERM)
+ check_for_unshare_hints ();
+ FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
+ }
else
FAIL_EXIT1 ("unable to unshare user/fs: %s", strerror (errno));
}