[ 69.058386] systemd-nspawn[4371]: varlink: Sending message: {"method":"io.systemd.NamespaceResource.AllocateUserRange","parameters":{"name":"nspawn-4371-zurps","mangleName":true,"size":65536,"userNamespaceFileDescriptor":0}}
[ 69.058447] systemd-nsresourcework[4339]: varlink-6-6: Received message: {"method":"io.systemd.NamespaceResource.AllocateUserRange","parameters":{"name":"nspawn-4371-zurps","mangleName":true,"size":65536,"userNamespaceFileDescriptor":0}}
[ 69.058455] systemd-nsresourcework[4339]: varlink-6-6: Changing state idle-server → processing-method
[ 69.058479] systemd-nsresourcework[4339]: varlink-6-6: Sending message: {"error":"io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported","parameters":{}}
[ 69.058482] systemd-nsresourcework[4339]: varlink-6-6: Changing state processing-method → processed-method
[ 69.058486] systemd-nsresourcework[4339]: varlink-6-6: Changing state processed-method → idle-server
[ 69.058599] systemd-nspawn[4371]: varlink: Received message: {"error":"io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported","parameters":{}}
[ 69.058604] systemd-nspawn[4371]: varlink: Changing state calling → called
[ 69.058609] systemd-nspawn[4371]: varlink: Changing state called → idle-client
[ 69.058614] systemd-nspawn[4371]: Unprivileged user namespace delegation is not supported on this system.
[ 69.058637] systemd-nsresourcework[4339]: varlink-6-6: Got POLLHUP from socket.
[ 69.058647] systemd-nsresourcework[4339]: varlink-6-6: Changing state idle-server → pending-disconnect
[ 69.058653] systemd-nsresourcework[4339]: varlink-6-6: Changing state pending-disconnect → processing-disconnect
[ 69.058656] systemd-nsresourcework[4339]: varlink-6-6: Changing state processing-disconnect → disconnected
[ 69.058698] systemd-nspawn[4371]: Failed to allocate user namespace with 64K users: Operation not supported
[ 69.058779] systemd[4344]: systemd-nspawn@zurps.service: Got notification message from PID 4371: STOPPING=1, STATUS=Terminating...
Follow-up for
bfd356da63d9fe0720f1b5a61c527c8822c3b808
rm -fr "$root"
}
-can_do_rootless_nspawn() {
- # Our create_dummy_ddi() uses squashfs and openssl.
- command -v mksquashfs &&
- command -v openssl &&
-
- # mountfsd must be enabled...
- [[ -S /run/systemd/io.systemd.MountFileSystem ]] &&
- # ...and have pidfd support for unprivileged operation.
- systemd-analyze compare-versions "$(uname -r)" ge 6.5 &&
- systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 &&
-
- # nsresourced must be enabled...
- [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] &&
- # ...and must support the UserNamespaceInterface.
- ! (SYSTEMD_LOG_TARGET=console varlinkctl call \
- /run/systemd/userdb/io.systemd.NamespaceResource \
- io.systemd.NamespaceResource.AllocateUserRange \
- '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \
- 2>&1 || true) |
- grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported"
-}
-
create_dummy_ddi() {
local outdir="${1:?}"
local container_name="${2:?}"
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
-if [[ ! -f /usr/lib/systemd/system/systemd-mountfsd.socket ]] ||
- [[ ! -f /usr/lib/systemd/system/systemd-nsresourced.socket ]] ||
- ! grep -q bpf /sys/kernel/security/lsm ||
- ! find /usr/lib* -name libbpf.so.1 2>/dev/null | grep . ||
- systemd-analyze compare-versions "$(uname -r)" lt 6.5 ||
- systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" lt 124; then
+if ! can_do_rootless_nspawn; then
echo "Skipping unpriv nspawn test"
exit 0
fi
trap at_exit EXIT
-systemctl start systemd-mountfsd.socket systemd-nsresourced.socket
-
run0 -u testuser mkdir -p .local/state/machines
create_dummy_container /home/testuser/.local/state/machines/zurps
coverage_create_nspawn_dropin "$root"
}
+can_do_rootless_nspawn() {
+ # Our create_dummy_ddi() uses squashfs and openssl.
+ command -v mksquashfs &&
+ command -v openssl &&
+
+ # Need to have bpf-lsm
+ grep -q bpf /sys/kernel/security/lsm &&
+ # ...and libbpf installed
+ find /usr/lib* -name "libbpf.so.*" 2>/dev/null | grep -q . &&
+
+ # Ensure mountfsd/nsresourced are listening
+ systemctl start systemd-mountfsd.socket systemd-nsresourced.socket &&
+
+ # mountfsd must be enabled...
+ [[ -S /run/systemd/io.systemd.MountFileSystem ]] &&
+ # ...and have pidfd support for unprivileged operation.
+ systemd-analyze compare-versions "$(uname -r)" ge 6.5 &&
+ systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 &&
+
+ # nsresourced must be enabled...
+ [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] &&
+ # ...and must support the UserNamespaceInterface.
+ ! (SYSTEMD_LOG_TARGET=console varlinkctl call \
+ /run/systemd/userdb/io.systemd.NamespaceResource \
+ io.systemd.NamespaceResource.AllocateUserRange \
+ '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \
+ 2>&1 || true) |
+ grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported"
+}
+
# Bump the reboot counter and call systemctl with the given arguments
systemctl_final() {
local counter
projects / thirdparty / systemd.git / commitdiff
