From b774fb7f002c9877391e8d4fe8e6b6d0ea8647da Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Tue, 16 Jun 2015 17:30:45 +0100 Subject: nspawn: check if kernel supports userns as early as possible If the kernel do not support user namespace then one of the children created by nspawn parent will fail at clone(CLONE_NEWUSER) with the generic error EINVAL and without logging the error. At the same time the parent may also try to setup the user namespace and will fail with another error. To improve this, check if the kernel supports user namespace as early as possible. --- src/nspawn/nspawn.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index eea994d0b3..3c31629d1e 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1013,6 +1013,9 @@ static int parse_argv(int argc, char *argv[]) { return -EINVAL; } + if (arg_userns && access("/proc/self/uid_map", F_OK) < 0) + return log_error_errno(EOPNOTSUPP, "--private-users= is not supported, kernel compiled without user namespace support."); + arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus; if (arg_boot && arg_kill_signal <= 0) -- cgit v1.2.3-54-g00ecf