nspawn: check if kernel supports userns as early as possible

If the kernel do not support user namespace then one of the children
created by nspawn parent will fail at clone(CLONE_NEWUSER) with the
generic error EINVAL and without logging the error. At the same time
the parent may also try to setup the user namespace and will fail with
another error.

To improve this, check if the kernel supports user namespace as early
as possible.

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index eea994d0b374cc64e9d1b16a5d8ceecb29a84b65..3c31629d1e919c3bf86ae8c36b23eef12e0cdd37 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1013,6 +1013,9 @@ static int parse_argv(int argc, char *argv[]) {
                 return -EINVAL;
         }
 
+        if (arg_userns && access("/proc/self/uid_map", F_OK) < 0)
+                return log_error_errno(EOPNOTSUPP, "--private-users= is not supported, kernel compiled without user namespace support.");
+
         arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
 
         if (arg_boot && arg_kill_signal <= 0)