Validation for User Namespaces in the config.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-02-18 23:14:01 -08:00 · 2015-02-18 23:14:01 -08:00 · f34b3b765f
parent d06a2dab9f
commit f34b3b765f
1 changed files with 17 additions and 0 deletions
--- a/configs/validate/config.go
+++ b/configs/validate/config.go
@ -2,6 +2,7 @@ package validate

 import (
 	"fmt"
+	"os"
 	"path/filepath"

 	"github.com/docker/libcontainer/configs"
@ -31,6 +32,9 @@ func (v *ConfigValidator) Validate(config *configs.Config) error {
 	if err := v.security(config); err != nil {
 		return err
 	}
+	if err := v.usernamespace(config); err != nil {
+		return err
+	}
 	return nil
 }

@ -74,3 +78,16 @@ func (v *ConfigValidator) security(config *configs.Config) error {
 	}
 	return nil
 }
+
+func (v *ConfigValidator) usernamespace(config *configs.Config) error {
+	if config.Namespaces.Contains(configs.NEWUSER) {
+		if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
+			return fmt.Errorf("USER namespaces aren't enabled in the kernel")
+		}
+	} else {
+		if config.UidMappings != nil || config.GidMappings != nil {
+			return fmt.Errorf("User namespace mappings specified, but USER namespace isn't enabled in the config")
+		}
+	}
+	return nil
+}