From: Luca Boccassi Date: Sat, 13 Sep 2025 11:25:08 +0000 (+0100) Subject: test: consolidate checks for unpriv nspawn support in TEST-13-NSPAWN X-Git-Tag: v258~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27833c409d33d8ebf57f129a48e104d040b1f141;p=thirdparty%2Fsystemd.git test: consolidate checks for unpriv nspawn support in TEST-13-NSPAWN [ 69.058386] systemd-nspawn[4371]: varlink: Sending message: {"method":"io.systemd.NamespaceResource.AllocateUserRange","parameters":{"name":"nspawn-4371-zurps","mangleName":true,"size":65536,"userNamespaceFileDescriptor":0}} [ 69.058447] systemd-nsresourcework[4339]: varlink-6-6: Received message: {"method":"io.systemd.NamespaceResource.AllocateUserRange","parameters":{"name":"nspawn-4371-zurps","mangleName":true,"size":65536,"userNamespaceFileDescriptor":0}} [ 69.058455] systemd-nsresourcework[4339]: varlink-6-6: Changing state idle-server → processing-method [ 69.058479] systemd-nsresourcework[4339]: varlink-6-6: Sending message: {"error":"io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported","parameters":{}} [ 69.058482] systemd-nsresourcework[4339]: varlink-6-6: Changing state processing-method → processed-method [ 69.058486] systemd-nsresourcework[4339]: varlink-6-6: Changing state processed-method → idle-server [ 69.058599] systemd-nspawn[4371]: varlink: Received message: {"error":"io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported","parameters":{}} [ 69.058604] systemd-nspawn[4371]: varlink: Changing state calling → called [ 69.058609] systemd-nspawn[4371]: varlink: Changing state called → idle-client [ 69.058614] systemd-nspawn[4371]: Unprivileged user namespace delegation is not supported on this system. [ 69.058637] systemd-nsresourcework[4339]: varlink-6-6: Got POLLHUP from socket. [ 69.058647] systemd-nsresourcework[4339]: varlink-6-6: Changing state idle-server → pending-disconnect [ 69.058653] systemd-nsresourcework[4339]: varlink-6-6: Changing state pending-disconnect → processing-disconnect [ 69.058656] systemd-nsresourcework[4339]: varlink-6-6: Changing state processing-disconnect → disconnected [ 69.058698] systemd-nspawn[4371]: Failed to allocate user namespace with 64K users: Operation not supported [ 69.058779] systemd[4344]: systemd-nspawn@zurps.service: Got notification message from PID 4371: STOPPING=1, STATUS=Terminating... Follow-up for bfd356da63d9fe0720f1b5a61c527c8822c3b808 --- diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh index 9e83137292d..13ef96ad0a6 100755 --- a/test/units/TEST-13-NSPAWN.nspawn.sh +++ b/test/units/TEST-13-NSPAWN.nspawn.sh @@ -1208,28 +1208,6 @@ EOF rm -fr "$root" } -can_do_rootless_nspawn() { - # Our create_dummy_ddi() uses squashfs and openssl. - command -v mksquashfs && - command -v openssl && - - # mountfsd must be enabled... - [[ -S /run/systemd/io.systemd.MountFileSystem ]] && - # ...and have pidfd support for unprivileged operation. - systemd-analyze compare-versions "$(uname -r)" ge 6.5 && - systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 && - - # nsresourced must be enabled... - [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] && - # ...and must support the UserNamespaceInterface. - ! (SYSTEMD_LOG_TARGET=console varlinkctl call \ - /run/systemd/userdb/io.systemd.NamespaceResource \ - io.systemd.NamespaceResource.AllocateUserRange \ - '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \ - 2>&1 || true) | - grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported" -} - create_dummy_ddi() { local outdir="${1:?}" local container_name="${2:?}" diff --git a/test/units/TEST-13-NSPAWN.unpriv.sh b/test/units/TEST-13-NSPAWN.unpriv.sh index db58b09291e..03af7ebc9cc 100755 --- a/test/units/TEST-13-NSPAWN.unpriv.sh +++ b/test/units/TEST-13-NSPAWN.unpriv.sh @@ -7,12 +7,7 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh -if [[ ! -f /usr/lib/systemd/system/systemd-mountfsd.socket ]] || - [[ ! -f /usr/lib/systemd/system/systemd-nsresourced.socket ]] || - ! grep -q bpf /sys/kernel/security/lsm || - ! find /usr/lib* -name libbpf.so.1 2>/dev/null | grep . || - systemd-analyze compare-versions "$(uname -r)" lt 6.5 || - systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" lt 124; then +if ! can_do_rootless_nspawn; then echo "Skipping unpriv nspawn test" exit 0 fi @@ -25,8 +20,6 @@ at_exit() { trap at_exit EXIT -systemctl start systemd-mountfsd.socket systemd-nsresourced.socket - run0 -u testuser mkdir -p .local/state/machines create_dummy_container /home/testuser/.local/state/machines/zurps diff --git a/test/units/util.sh b/test/units/util.sh index bc3c1651a7d..65f2d0b2e31 100755 --- a/test/units/util.sh +++ b/test/units/util.sh @@ -186,6 +186,36 @@ create_dummy_container() { coverage_create_nspawn_dropin "$root" } +can_do_rootless_nspawn() { + # Our create_dummy_ddi() uses squashfs and openssl. + command -v mksquashfs && + command -v openssl && + + # Need to have bpf-lsm + grep -q bpf /sys/kernel/security/lsm && + # ...and libbpf installed + find /usr/lib* -name "libbpf.so.*" 2>/dev/null | grep -q . && + + # Ensure mountfsd/nsresourced are listening + systemctl start systemd-mountfsd.socket systemd-nsresourced.socket && + + # mountfsd must be enabled... + [[ -S /run/systemd/io.systemd.MountFileSystem ]] && + # ...and have pidfd support for unprivileged operation. + systemd-analyze compare-versions "$(uname -r)" ge 6.5 && + systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 && + + # nsresourced must be enabled... + [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] && + # ...and must support the UserNamespaceInterface. + ! (SYSTEMD_LOG_TARGET=console varlinkctl call \ + /run/systemd/userdb/io.systemd.NamespaceResource \ + io.systemd.NamespaceResource.AllocateUserRange \ + '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \ + 2>&1 || true) | + grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported" +} + # Bump the reboot counter and call systemctl with the given arguments systemctl_final() { local counter