TEST-07-PID1.delegate-namespaces: Fix testcase_pid()

Make sure the test has its own /proc and skip it in containers as
MountAPIVFS=yes in a container always results in a read-only /proc/sys
which means the test can't write to /proc/sys/kernel/ns_last_pid.

diff --git a/test/units/TEST-07-PID1.delegate-namespaces.sh b/test/units/TEST-07-PID1.delegate-namespaces.sh
index 8eb9956c2e72c3d3ba33b14d1812fd0ce9d063af..061a7cf5b2065f8b42c2aafa06e6353880c3c5fc 100755 (executable)
--- a/test/units/TEST-07-PID1.delegate-namespaces.sh
+++ b/test/units/TEST-07-PID1.delegate-namespaces.sh
@@ -41,8 +41,12 @@ testcase_cgroup() {
 }
 
 testcase_pid() {
-    (! systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid')
-    systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p DelegateNamespaces=pid --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid'
+    # MountAPIVFS=yes always bind mounts child mounts of APIVFS filesystems, which means /proc/sys is always read-only
+    # so we can't write to it when running in a container.
+    if ! systemd-detect-virt --container; then
+        (! systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p MountAPIVFS=yes --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid')
+        systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p MountAPIVFS=yes -p DelegateNamespaces="mnt pid" --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid'
+    fi
 }
 
 testcase_uts() {