aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Joseph <adam@westernsemico.com>2022-07-17 01:27:22 -0700
committerAdam Joseph <adam@westernsemico.com>2022-07-17 01:27:22 -0700
commitc8c6203c2c6912a52c5f08881c453a04e7fc3f58 (patch)
tree8019646e99f6f3dc0ff7484ec5c7f1fba97649b3
parent6fc56318bf32f715de8634c199c0fb812f813a8c (diff)
local-derivation-goal.cc: detect unprivileged_userns_clone failure mode
The workaround for "Some distros patch Linux" mentioned in local-derivation-goal.cc will not help in the `--option sandbox-fallback false` case. To provide the user more helpful guidance on how to get the sandbox working, let's check to see if the `/proc` node created by the aforementioned patch is present and configured in a way that will cause us problems. If so, give the user a suggestion for how to troubleshoot the problem.
-rw-r--r--src/libstore/build/local-derivation-goal.cc7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 1c7618045..047c5c8ea 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -862,6 +862,13 @@ void LocalDerivationGoal::startBuilder()
_exit(1);
if (!userNamespacesEnabled && errno==EPERM)
warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces");
+ if (userNamespacesEnabled) {
+ Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone";
+ if (pathExists(procSysKernelUnprivilegedUsernsClone)
+ && trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0") {
+ warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/kernel/unprivileged_userns_clone");
+ }
+ }
Path procSelfNsUser = "/proc/self/ns/user";
if (!pathExists(procSelfNsUser))
warn("/proc/self/ns/user does not exist; your kernel was likely built without CONFIG_USER_NS=y, which is required for sandboxing");