nspawn: make -U a tiny bit smarter

With this change -U will turn on user namespacing only if the kernel actually
supports it and otherwise gracefully degrade to non-userns mode.

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index ea0c6562f8814736e7e81223a831445a40194843..bd688a0ee196473a552721296d3c3df269b78bdb 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -444,7 +444,9 @@
       <varlistentry>
         <term><option>-U</option></term>
 
-        <listitem><para>Equivalent to <option>--private-users=pick</option>.</para></listitem>
+        <listitem><para>If the kernel supports the user namespaces feature, equivalent to
+        <option>--private-users=pick</option>, otherwise equivalent to
+        <option>--private-users=no</option>.</para></listitem>
       </varlistentry>
 
       <varlistentry>

diff --git a/src/basic/user-util.h b/src/basic/user-util.h
index c23f1d485d5fd42c2ad4f237ab0b3921ac76e97e..8026eca3f4783c41cdfe5c8fbfc03069439ce8c9 100644 (file)
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@@ -21,6 +21,7 @@
 
 #include <stdbool.h>
 #include <sys/types.h>
+#include <unistd.h>
 
 bool uid_is_valid(uid_t uid);
 
@@ -63,3 +64,7 @@ int take_etc_passwd_lock(const char *root);
 
 #define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
 #define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
+
+static inline bool userns_supported(void) {
+        return access("/proc/self/uid_map", F_OK) >= 0;
+}

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 40e3d5a3fe3c9b5d2fdc4c714754693a0972aa8b..c8a7ec71a3219a57de27890995a18831e9c12670 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -866,11 +866,14 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case 'U':
-                        arg_userns_mode = USER_NAMESPACE_PICK;
-                        arg_uid_shift = UID_INVALID;
-                        arg_uid_range = UINT32_C(0x10000);
+                        if (userns_supported()) {
+                                arg_userns_mode = USER_NAMESPACE_PICK;
+                                arg_uid_shift = UID_INVALID;
+                                arg_uid_range = UINT32_C(0x10000);
+
+                                arg_settings_mask |= SETTING_USERNS;
+                        }
 
-                        arg_settings_mask |= SETTING_USERNS;
                         break;
 
                 case ARG_PRIVATE_USERS_CHOWN:
@@ -990,7 +993,7 @@ static int parse_argv(int argc, char *argv[]) {
                 return -EINVAL;
         }
 
-        if (arg_userns_mode != USER_NAMESPACE_NO && access("/proc/self/uid_map", F_OK) < 0) {
+        if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported()) {
                 log_error("--private-users= is not supported, kernel compiled without user namespace support.");
                 return -EOPNOTSUPP;
         }