local-derivation-goal.cc: detect unprivileged_userns_clone failure mode

The workaround for "Some distros patch Linux" mentioned in
local-derivation-goal.cc will not help in the `--option
sandbox-fallback false` case.  To provide the user more helpful
guidance on how to get the sandbox working, let's check to see if the
`/proc` node created by the aforementioned patch is present and
configured in a way that will cause us problems.  If so, give the user
a suggestion for how to troubleshoot the problem.
This commit is contained in:
Adam Joseph 2022-07-17 01:27:22 -07:00
parent 6fc56318bf
commit c8c6203c2c

View file

@ -862,6 +862,13 @@ void LocalDerivationGoal::startBuilder()
_exit(1); _exit(1);
if (!userNamespacesEnabled && errno==EPERM) if (!userNamespacesEnabled && errno==EPERM)
warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces"); warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces");
if (userNamespacesEnabled) {
Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone";
if (pathExists(procSysKernelUnprivilegedUsernsClone)
&& trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0") {
warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/kernel/unprivileged_userns_clone");
}
}
Path procSelfNsUser = "/proc/self/ns/user"; Path procSelfNsUser = "/proc/self/ns/user";
if (!pathExists(procSelfNsUser)) if (!pathExists(procSelfNsUser))
warn("/proc/self/ns/user does not exist; your kernel was likely built without CONFIG_USER_NS=y, which is required for sandboxing"); warn("/proc/self/ns/user does not exist; your kernel was likely built without CONFIG_USER_NS=y, which is required for sandboxing");