summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-04-22 14:10:09 +0200
committerLennart Poettering <lennart@poettering.net>2016-04-25 12:16:02 +0200
commitccabee0d6465f06b9d339cf449fd8eea0db13373 (patch)
treed9742d9281a08fa46d9840619ba21a4746a0b30a
parentman: document the new user namespacing options (diff)
downloadsystemd-ccabee0d6465f06b9d339cf449fd8eea0db13373.tar.xz
systemd-ccabee0d6465f06b9d339cf449fd8eea0db13373.zip
nspawn: make -U a tiny bit smarter
With this change -U will turn on user namespacing only if the kernel actually supports it and otherwise gracefully degrade to non-userns mode.
-rw-r--r--man/systemd-nspawn.xml4
-rw-r--r--src/basic/user-util.h5
-rw-r--r--src/nspawn/nspawn.c13
3 files changed, 16 insertions, 6 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index ea0c6562f8..bd688a0ee1 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -444,7 +444,9 @@
<varlistentry>
<term><option>-U</option></term>
- <listitem><para>Equivalent to <option>--private-users=pick</option>.</para></listitem>
+ <listitem><para>If the kernel supports the user namespaces feature, equivalent to
+ <option>--private-users=pick</option>, otherwise equivalent to
+ <option>--private-users=no</option>.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/basic/user-util.h b/src/basic/user-util.h
index c23f1d485d..8026eca3f4 100644
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@@ -21,6 +21,7 @@
#include <stdbool.h>
#include <sys/types.h>
+#include <unistd.h>
bool uid_is_valid(uid_t uid);
@@ -63,3 +64,7 @@ int take_etc_passwd_lock(const char *root);
#define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
#define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
+
+static inline bool userns_supported(void) {
+ return access("/proc/self/uid_map", F_OK) >= 0;
+}
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 40e3d5a3fe..c8a7ec71a3 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -866,11 +866,14 @@ static int parse_argv(int argc, char *argv[]) {
break;
case 'U':
- arg_userns_mode = USER_NAMESPACE_PICK;
- arg_uid_shift = UID_INVALID;
- arg_uid_range = UINT32_C(0x10000);
+ if (userns_supported()) {
+ arg_userns_mode = USER_NAMESPACE_PICK;
+ arg_uid_shift = UID_INVALID;
+ arg_uid_range = UINT32_C(0x10000);
+
+ arg_settings_mask |= SETTING_USERNS;
+ }
- arg_settings_mask |= SETTING_USERNS;
break;
case ARG_PRIVATE_USERS_CHOWN:
@@ -990,7 +993,7 @@ static int parse_argv(int argc, char *argv[]) {
return -EINVAL;
}
- if (arg_userns_mode != USER_NAMESPACE_NO && access("/proc/self/uid_map", F_OK) < 0) {
+ if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported()) {
log_error("--private-users= is not supported, kernel compiled without user namespace support.");
return -EOPNOTSUPP;
}