From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 24 Aug 2023 14:10:26 +0000 (+0900)
Subject: core: allow to run generators without sandboxing on qemu-user
X-Git-Tag: v255-rc1~565
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=468018703ce1c0f123240fb6ba9b8b0b90f12930;p=thirdparty%2Fsystemd.git

core: allow to run generators without sandboxing on qemu-user

When running on non-native userland architecture via systemd-nspawn
and qemu-user-static QEMU-emulator, clone() with CLONE_NEWNS fails with
EINVAL.

Fixes #28901.

[zjs: add a comment in the code]
---

diff --git a/src/core/manager.c b/src/core/manager.c
index 304abf4697a..7492a0b1b8c 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -4019,13 +4019,20 @@ static int manager_run_generators(Manager *m) {
                 _exit(r >= 0 ? EXIT_SUCCESS : EXIT_FAILURE);
         }
         if (r < 0) {
-                if (!ERRNO_IS_PRIVILEGE(r)) {
+                if (!ERRNO_IS_PRIVILEGE(r) && r != -EINVAL) {
                         log_error_errno(r, "Failed to fork off sandboxing environment for executing generators: %m");
                         goto finish;
                 }
 
                 /* Failed to fork with new mount namespace? Maybe, running in a container environment with
-                 * seccomp or without capability. */
+                 * seccomp or without capability.
+                 *
+                 * We also allow -EINVAL to allow running without CLONE_NEWNS.
+                 *
+                 * Also, when running on non-native userland architecture via systemd-nspawn and
+                 * qemu-user-static QEMU-emulator, clone() with CLONE_NEWNS fails with EINVAL, see
+                 * https://github.com/systemd/systemd/issues/28901.
+                 */
                 log_debug_errno(r,
                                 "Failed to fork off sandboxing environment for executing generators. "
                                 "Falling back to execute generators without sandboxing: %m");