Ignore EPERM when unsharing FS state

On Docker (but not podman), unshare(CLONE_FS) fails with EPERM. So let's ignore it and hope nothing bad happens. Attempted fix for #5777.
NixOS · Dec 16, 2021 · ec8f24e · ec8f24e
1 parent c260640
commit ec8f24e
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 7 deletions.
diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
@@ -544,13 +544,7 @@ struct curlFileTransfer : public FileTransfer
             stopWorkerThread();
         });
 
-#ifdef __linux__
-        /* Cause this thread to not share any FS attributes with the main thread,
-           because this causes setns() in restoreMountNamespace() to fail.
-           Ideally, this would happen in the std::thread() constructor. */
-        if (unshare(CLONE_FS) != 0)
-            throw SysError("unsharing filesystem state in download thread");
-#endif
+        unshareFilesystem();
 
         std::map<CURL *, std::shared_ptr<TransferItem>> items;
 

diff --git a/src/libutil/util.cc b/src/libutil/util.cc
@@ -1660,6 +1660,14 @@ void restoreMountNamespace()
 #endif
 }
 
+void unshareFilesystem()
+{
+#ifdef __linux__
+    if (unshare(CLONE_FS) != 0 && errno != EPERM)
+        throw SysError("unsharing filesystem state in download thread");
+#endif
+}
+
 void restoreProcessContext(bool restoreMounts)
 {
     restoreSignals();

diff --git a/src/libutil/util.hh b/src/libutil/util.hh
@@ -311,6 +311,11 @@ void saveMountNamespace();
    if saveMountNamespace() was never called. */
 void restoreMountNamespace();
 
+/* Cause this thread to not share any FS attributes with the main
+   thread, because this causes setns() in restoreMountNamespace() to
+   fail. */
+void unshareFilesystem();
+
 
 class ExecError : public Error
 {