Thomas Haller <thaller@xxxxxxxxxx> wrote:
> + UNSHARE=( unshare -f -p --mount-proc -U --map-root-user -n )
> + if ! "${UNSHARE[@]}" true ; then
> + # Try without PID namespace.
> + UNSHARE=( unshare -f -U --map-root-user -n )
> + if ! "${UNSHARE[@]}" true ; then
> + msg_error "Unshare does not work. Rerun with -U/--no-unshare or NFT_TEST_NO_UNSHARE=y"
This will always fail here due to
user.max_user_namespaces=0
in sysctl.cfg.
So please add a fallback to plain unshare -n or only use unpriv userns
if the script isn't called with uid 0.
> msg_info "[EXECUTING] $testfile"
> - test_output=$(NFT="$NFT" DIFF=$DIFF ${testfile} 2>&1)
> + test_output=$(NFT="$NFT" DIFF=$DIFF "${UNSHARE[@]}" "$testfile" 2>&1)
> rc_got=$?
This is more complicated because we'll also need to collect the ruleset
dump from within the temporary ns.
Once all of that works you can remove kernel_cleanup().
