From patchwork Tue Sep 25 21:21:21 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: DJ Delorie <dj@redhat.com>
X-Patchwork-Id: 974746
Return-Path: 
 <libc-alpha-return-96089-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=sourceware.org
	(client-ip=209.132.180.131; helo=sourceware.org;
	envelope-from=libc-alpha-return-96089-incoming=patchwork.ozlabs.org@sourceware.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	secure) header.d=sourceware.org header.i=@sourceware.org
	header.b="Zr44SYxG"; dkim-atps=neutral
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42KYsm4YnMz9s4Z
	for <incoming@patchwork.ozlabs.org>;
	Wed, 26 Sep 2018 07:21:32 +1000 (AEST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:message-id:from:to:subject; q=dns; s=
	default; b=xVvOq0ruYJCTncmtz/HOjDEYx02lzAjbmbh1Lc3e1AKBr8KgxRk1I
	0F68Jvd5tn0VA8IXVcHljPWmRWmrMVmAeGEZ5HvPNz3/6naNaTiP8jm05nDJ0Qqw
	b+jMI7GPFQ30ncVNyb4AbGMIXVzcTZRZaVigUSsNyEXtTfNNo04TJ0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:message-id:from:to:subject; s=default;
	bh=3Gur4McymiMxj98+SG/Y/RO30EU=; b=Zr44SYxGH0J21bMZHW85NzYlh8JU
	usYXHMa2znPq9n0hPdFA+rIOEsE/etoHOdjmmKjDaXYNJVLSTkTRtSSStEa6a34w
	EnOJMOnafjjUyJtSPNZPNMA7Ubr5r/hka4JEe5jwCw6g45iaYBoZDNMG82Q+mKgv
	HS5CpJeG6RTTBIk=
Received: (qmail 36508 invoked by alias); 25 Sep 2018 21:21:27 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 36499 invoked by uid 89); 25 Sep 2018 21:21:26 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=hints,
	policies, our
X-HELO: mx1.redhat.com
Date: Tue, 25 Sep 2018 17:21:21 -0400
Message-Id: <xna7o5l1da.fsf@greed.delorie.com>
From: DJ Delorie <dj@redhat.com>
To: libc-alpha@sourceware.org
Subject: [patch] add support hints to test-container

First set of hints to users as to why test-container might not work,
as some distros default their user namespace policies in ways that
preclude our usage.  Ok?

	* support/test-container.c (check_for_unshare_hints): New.
	(main): If unshare fails, check for hints.

diff --git a/support/test-container.c b/support/test-container.c
index c56b53ed81..0f4362373b 100644
--- a/support/test-container.c
+++ b/support/test-container.c
@@ -609,6 +609,47 @@ rsync (char *src, char *dest, int and_delete)
 }
 
 
+
+/* See if we can detect what the user needs to do to get unshare
+   support working for us.  */
+void
+check_for_unshare_hints (void)
+{
+  FILE *f;
+  int i;
+
+  /* Default Debian Linux disables user namespaces, but allows a way
+     to enable them.  */
+  f = fopen ("/proc/sys/kernel/unprivileged_userns_clone", "r");
+  if (f)
+    {
+      i = 99; /* Sentinel.  */
+      fscanf (f, "%d", &i);
+      if (i == 0)
+	{
+	  printf ("To enable test-container, please run this as root:\n");
+	  printf ("  echo 1 > /proc/sys/kernel/unprivileged_userns_clone\n");
+	}
+      fclose (f);
+      return;
+    }
+
+  /* ALT Linux has an alternate way of doing the same.  */
+  f = fopen ("/proc/sys/kernel/userns_restrict", "r");
+  if (f)
+    {
+      i = 99; /* Sentinel.  */
+      fscanf (f, "%d", &i);
+      if (i == 1)
+	{
+	  printf ("To enable test-container, please run this as root:\n");
+	  printf ("  echo 0 > /proc/sys/kernel/userns_restrict\n");
+	}
+      fclose (f);
+      return;
+    }
+}
+
 int
 main (int argc, char **argv)
 {
@@ -873,7 +914,11 @@ main (int argc, char **argv)
       /* Older kernels may not support all the options, or security
 	 policy may block this call.  */
       if (errno == EINVAL || errno == EPERM)
-	FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
+	{
+	  if (errno == EPERM)
+	    check_for_unshare_hints ();
+	  FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (errno));
+	}
       else
 	FAIL_EXIT1 ("unable to unshare user/fs: %s", strerror (errno));
     }