local-derivation-goal.cc: detect unprivileged_userns_clone failure mode
The workaround for "Some distros patch Linux" mentioned in local-derivation-goal.cc will not help in the `--option sandbox-fallback false` case. To provide the user more helpful guidance on how to get the sandbox working, let's check to see if the `/proc` node created by the aforementioned patch is present and configured in a way that will cause us problems. If so, give the user a suggestion for how to troubleshoot the problem.
This commit is contained in:
parent
6fc56318bf
commit
c8c6203c2c
|
@ -862,6 +862,13 @@ void LocalDerivationGoal::startBuilder()
|
||||||
_exit(1);
|
_exit(1);
|
||||||
if (!userNamespacesEnabled && errno==EPERM)
|
if (!userNamespacesEnabled && errno==EPERM)
|
||||||
warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces");
|
warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces");
|
||||||
|
if (userNamespacesEnabled) {
|
||||||
|
Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone";
|
||||||
|
if (pathExists(procSysKernelUnprivilegedUsernsClone)
|
||||||
|
&& trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0") {
|
||||||
|
warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/kernel/unprivileged_userns_clone");
|
||||||
|
}
|
||||||
|
}
|
||||||
Path procSelfNsUser = "/proc/self/ns/user";
|
Path procSelfNsUser = "/proc/self/ns/user";
|
||||||
if (!pathExists(procSelfNsUser))
|
if (!pathExists(procSelfNsUser))
|
||||||
warn("/proc/self/ns/user does not exist; your kernel was likely built without CONFIG_USER_NS=y, which is required for sandboxing");
|
warn("/proc/self/ns/user does not exist; your kernel was likely built without CONFIG_USER_NS=y, which is required for sandboxing");
|
||||||
|
|
Loading…
Reference in a new issue