diff options
| author | jade <lix@jade.fyi> | 2024-05-05 03:58:44 +0000 |
|---|---|---|
| committer | Gerrit Code Review <gerrit@lix-systems> | 2024-05-05 03:58:44 +0000 |
| commit | 47fb49467601f43c950abc88c835ed44733f3d8f (patch) | |
| tree | ac376bb94bf675f95105da8dbd03f8dc8d89d9be | |
| parent | fb5d6f325b1ed50ca475c1b99aee58defb09406e (diff) | |
| parent | e3b702fa2211c05ead6f030e63fc869c1b69413e (diff) | |
Merge "Actually try making a userns before assuming they don't work" into main
| -rw-r--r-- | src/libutil/namespaces.cc | 45 |
1 files changed, 23 insertions, 22 deletions
diff --git a/src/libutil/namespaces.cc b/src/libutil/namespaces.cc index f66accb10..dec3a7189 100644 --- a/src/libutil/namespaces.cc +++ b/src/libutil/namespaces.cc @@ -8,31 +8,31 @@ namespace nix { -bool userNamespacesSupported() +static void diagnoseUserNamespaces() { - static auto res = [&]() -> bool - { - if (!pathExists("/proc/self/ns/user")) { - debug("'/proc/self/ns/user' does not exist; your kernel was likely built without CONFIG_USER_NS=y"); - return false; - } + if (!pathExists("/proc/self/ns/user")) { + warn("'/proc/self/ns/user' does not exist; your kernel was likely built without CONFIG_USER_NS=y"); + } - Path maxUserNamespaces = "/proc/sys/user/max_user_namespaces"; - if (!pathExists(maxUserNamespaces) || - trim(readFile(maxUserNamespaces)) == "0") - { - debug("user namespaces appear to be disabled; check '/proc/sys/user/max_user_namespaces'"); - return false; - } + Path maxUserNamespaces = "/proc/sys/user/max_user_namespaces"; + if (!pathExists(maxUserNamespaces) || + trim(readFile(maxUserNamespaces)) == "0") + { + warn("user namespaces appear to be disabled; check '/proc/sys/user/max_user_namespaces'"); + } - Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone"; - if (pathExists(procSysKernelUnprivilegedUsernsClone) - && trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0") - { - debug("user namespaces appear to be disabled; check '/proc/sys/kernel/unprivileged_userns_clone'"); - return false; - } + Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone"; + if (pathExists(procSysKernelUnprivilegedUsernsClone) + && trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0") + { + warn("user namespaces appear to be disabled for unprivileged users; check '/proc/sys/kernel/unprivileged_userns_clone'"); + } +} +bool userNamespacesSupported() +{ + static auto res = [&]() -> bool + { try { Pid pid = startProcess([&]() { @@ -44,7 +44,8 @@ bool userNamespacesSupported() auto r = pid.wait(); assert(!r); } catch (SysError & e) { - debug("user namespaces do not work on this system: %s", e.msg()); + warn("user namespaces do not work on this system: %s", e.msg()); + diagnoseUserNamespaces(); return false; } |