local-derivation-goal.cc: detect unprivileged_userns_clone failure mode

The workaround for "Some distros patch Linux" mentioned in local-derivation-goal.cc will not help in the `--option sandbox-fallback false` case. To provide the user more helpful guidance on how to get the sandbox working, let's check to see if the `/proc` node created by the aforementioned patch is present and configured in a way that will cause us problems. If so, give the user a suggestion for how to troubleshoot the problem.
2022-07-17 01:27:22 -07:00 · 2022-07-17 01:27:22 -07:00 · c8c6203c2c
parent 6fc56318bf
commit c8c6203c2c
1 changed files with 7 additions and 0 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -862,6 +862,13 @@ void LocalDerivationGoal::startBuilder()
                            _exit(1);
                        if (!userNamespacesEnabled && errno==EPERM)
                            warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces");
+                        if (userNamespacesEnabled) {
+                            Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone";
+                            if (pathExists(procSysKernelUnprivilegedUsernsClone)
+                                && trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0") {
+                                warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/kernel/unprivileged_userns_clone");
+                            }
+                        }
                        Path procSelfNsUser = "/proc/self/ns/user";
                        if (!pathExists(procSelfNsUser))
                            warn("/proc/self/ns/user does not exist; your kernel was likely built without CONFIG_USER_NS=y, which is required for sandboxing");