diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-04-22 14:10:09 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-04-25 12:16:02 +0200 |
commit | ccabee0d6465f06b9d339cf449fd8eea0db13373 (patch) | |
tree | d9742d9281a08fa46d9840619ba21a4746a0b30a | |
parent | man: document the new user namespacing options (diff) | |
download | systemd-ccabee0d6465f06b9d339cf449fd8eea0db13373.tar.xz systemd-ccabee0d6465f06b9d339cf449fd8eea0db13373.zip |
nspawn: make -U a tiny bit smarter
With this change -U will turn on user namespacing only if the kernel actually
supports it and otherwise gracefully degrade to non-userns mode.
-rw-r--r-- | man/systemd-nspawn.xml | 4 | ||||
-rw-r--r-- | src/basic/user-util.h | 5 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 13 |
3 files changed, 16 insertions, 6 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index ea0c6562f8..bd688a0ee1 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -444,7 +444,9 @@ <varlistentry> <term><option>-U</option></term> - <listitem><para>Equivalent to <option>--private-users=pick</option>.</para></listitem> + <listitem><para>If the kernel supports the user namespaces feature, equivalent to + <option>--private-users=pick</option>, otherwise equivalent to + <option>--private-users=no</option>.</para></listitem> </varlistentry> <varlistentry> diff --git a/src/basic/user-util.h b/src/basic/user-util.h index c23f1d485d..8026eca3f4 100644 --- a/src/basic/user-util.h +++ b/src/basic/user-util.h @@ -21,6 +21,7 @@ #include <stdbool.h> #include <sys/types.h> +#include <unistd.h> bool uid_is_valid(uid_t uid); @@ -63,3 +64,7 @@ int take_etc_passwd_lock(const char *root); #define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1)) #define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1)) + +static inline bool userns_supported(void) { + return access("/proc/self/uid_map", F_OK) >= 0; +} diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 40e3d5a3fe..c8a7ec71a3 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -866,11 +866,14 @@ static int parse_argv(int argc, char *argv[]) { break; case 'U': - arg_userns_mode = USER_NAMESPACE_PICK; - arg_uid_shift = UID_INVALID; - arg_uid_range = UINT32_C(0x10000); + if (userns_supported()) { + arg_userns_mode = USER_NAMESPACE_PICK; + arg_uid_shift = UID_INVALID; + arg_uid_range = UINT32_C(0x10000); + + arg_settings_mask |= SETTING_USERNS; + } - arg_settings_mask |= SETTING_USERNS; break; case ARG_PRIVATE_USERS_CHOWN: @@ -990,7 +993,7 @@ static int parse_argv(int argc, char *argv[]) { return -EINVAL; } - if (arg_userns_mode != USER_NAMESPACE_NO && access("/proc/self/uid_map", F_OK) < 0) { + if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported()) { log_error("--private-users= is not supported, kernel compiled without user namespace support."); return -EOPNOTSUPP; } |