Fix auto-uid-allocation in Docker containers

This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13).
author: Eelco Dolstra <edolstra@gmail.com> 2023-01-25 17:31:27 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2023-02-07 22:51:53 +0100
commit: fb2f7f5dcc6b37a4f39f59d9f477d3fa57d79095 (patch)
tree: dfe12a07aa527267b338023c537b1efa07272982 /src/libutil/namespaces.hh
parent: 1ba13b17db1d2ff4342b41cbd610b76060582335 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/libutil/namespaces.hh b/src/libutil/namespaces.hh
new file mode 100644
index 000000000..4ed6cb683
--- /dev/null
+++ b/src/libutil/namespaces.hh
@@ -0,0 +1,9 @@
+#pragma once
+
+namespace nix {
+
+bool userNamespacesSupported();
+
+bool mountNamespacesSupported();
+
+}
author	Eelco Dolstra <edolstra@gmail.com>	2023-01-25 17:31:27 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2023-02-07 22:51:53 +0100
commit	fb2f7f5dcc6b37a4f39f59d9f477d3fa57d79095 (patch)
tree	dfe12a07aa527267b338023c537b1efa07272982 /src/libutil/namespaces.hh
parent	1ba13b17db1d2ff4342b41cbd610b76060582335 (diff)